Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We are committed to protecting the privacy and security of our information assets and the data entrusted to us. Our cybersecurity program comprises multiple levels of physical, technical, and administrative safeguards. Our cybersecurity program is informed by industry standards, including the Center for Information Security (CIS) framework for security controls and benchmarks, the National Institute of Standards and Technology (NIST) standards, and the ISO 27000 framework. This does not imply that we meet any particular technical standards, specifications, or requirements at all times, only that we use CIS, NIST, and ISO 27000 as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration results in cybersecurity considerations as a key part of our decision-making processes. Our cybersecurity team considers emerging threats and new vectors of cyberattack and pursues a deliberate risk-avoidance approach. We also maintain our written security incident response runbook detailing the response and notifications involved with various security events.

Our cybersecurity training and education emphasizes periodic phishing tests and a mandatory training curriculum to assist our employees' awareness of common types of attacks. This includes awareness of phishing, malware, social engineering, and overall security best practices for new and existing employees. We also perform periodic, independent risk assessments that consider four primary areas of risk: physical, digital, social, and administrative/governance.

Since we understand that cybersecurity threats are complex and evolving, we have a dedicated team of both internal and external cybersecurity experts, which is led by our Chief Information Officer (CIO), Security Officer. This team is responsible for publishing information technology and security policies, promoting compliance with those policies, implementing a program to mitigate potential threats, and performing periodic risk and maturity assessments. Our risk mitigation measures include network segmentation, cyber protection and containment, detection and response, and recovery. The primary goal of this team is to decrease the risk of cyber incidents having a material impact.

We also have plans in place to respond to cybersecurity incidents. These plans address issues relating to preparation for and detection of incidents, as well as responding to and recovering from incidents. We have procedures designed to assess, investigate, contain, remediate, and mitigate cybersecurity incidents, as well as procedures that seek to comply with legal obligations and regulatory reporting requirements. We periodically engage with assessors, consultants, auditors, and other third parties to review our cybersecurity processes.

Recognizing the risks associated with third-party service providers, we implement processes to manage these risks. We conduct assessments of critical third-party providers before engagement and maintain ongoing monitoring to assess compliance with our cybersecurity standards. In addition, we require SOC 1 Type II attestations from those IT vendors whose applications or cloud infrastructure handle sensitive information.

In the past three years, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See the risk factor entitled "Our information technology systems may be subject to breaches, cyber-attacks or other disruptions that could, among other adverse consequences, cause us to violate laws and regulations and could adversely affect our business, results of operations, financial condition, cash flows, reputation or competitive position."

---

Cybersecurity Governance

Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee responsibility for oversight of risk assessment and risk management, including cybersecurity, and the Company's policies and controls relating to information technology, management information systems, and cybersecurity. The Audit Committee receives quarterly reports from management on our cybersecurity risk management activities. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Audit Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity.

The CIO, Security Officer has over three decades of technology experience, working for leading technology and consulting companies and previously served as CIO, Security Officer for both public and private medical device and healthcare organizations. Our cybersecurity team includes a former chief information security officer for large healthcare organizations, a former head of global security for a major enterprise cybersecurity platform, and other similarly credentialed professionals. Our CIO, Security Officer reports to the Chief Financial Officer and provides regular reports to the Audit Committee on cybersecurity policies, procedures, and risk and remediation efforts. Our CIO, Security Officer also serves on our Disclosure Committee and has regular dialogue with the senior management team on information security matters and risk management practices.

The CIO, Security Officer is regularly informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. We believe this ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The cybersecurity team implements and oversees processes for the regular monitoring of our information systems. In the event of a cybersecurity incident, the cybersecurity team follows a written security incident response runbook, which includes procedures to, among other things, respond to the incident, mitigate its impact, and evaluate and satisfy applicable obligations.