CYBERSECURITY

Cybersecurity Risk Management and Strategy

We maintain an enterprise-wide approach to risk management through which we identify, manage and mitigate significant risks, including those related to our information systems. Our cybersecurity risk management program, which applies to our global operations, focuses on our people, processes and technology, and is designed to secure our information systems by preventing, detecting and responding to current and emerging cybersecurity threats.

Our employees are a key element of our cybersecurity risk management program. All of our employees are required to adhere to our cybersecurity practices, and undertake routine training to raise awareness and reinforce safe practices. Our training program includes bi-annual online training courses, group tabletop exercises, phishing and malicious email simulations, and information security bulletins. We also maintain policies that govern, and provide specific guidance to employees regarding how they may use our information systems.

Another key element of our cybersecurity risk management program is our use of processes and technologies to create information security safeguards and controls, and target specific users or business needs. Our processes and technologies include firewalls, email security software and encryption, endpoint detection and response, access controls, backup and recovery procedures, system patches and updates, vulnerability scanning, penetration testing by third party vendors, incident response procedures, and internal and external audits of our information systems.

Through these internal and external assessments, we continuously identify areas for remediation and opportunities to improve the security of our information systems, including by evaluating our program against industry standards and best practices, such as the Cybersecurity Framework established by the National Institute of Standards and Technology (NIST) and the CIS Critical Security Controls established by the Center for Internet Security. We also track key performance indicators that we believe are indicative of the effectiveness of our cybersecurity risk management program.

For additional information related to cybersecurity risks that could have a material and adverse effect on our business, financial condition or results of operations, see “Our operations could be adversely affected by interruptions or breaches in the security of our computer and information systems” in Item 1A of this Report.

Cybersecurity Governance

The Audit Committee of our Board of Directors oversees the adequacy and effectiveness of our internal controls, policies and procedures regarding cybersecurity, information security and data protection, and compliance with applicable laws and regulations concerning privacy. Our Chief Information Officer (“CIO”), in turn, is responsible for managing the Company’s cybersecurity risk management program and incident response procedures. On a quarterly basis, and more frequently as circumstances warrant, our CIO briefs the Audit Committee on our cybersecurity risks, our strategies for preventing, detecting, responding to and mitigating such risks, including the effectiveness of our incident response procedures, and our information security controls. Our CIO has extensive knowledge and expertise regarding our information systems and security, having served in a variety of senior information technology positions across our organization for more than thirty years, and as an executive officer of the Company since 2006.

Additionally, our CIO leads an incident response team (“IRT”), charged with the on-going management of our cybersecurity program. This team is responsible for the prevention, mitigation, detection and remediation of cybersecurity risks and incidents affecting our operations pursuant to our incident response procedures. The IRT is composed of information security professionals, who collectively bring decades of relevant information security and cybersecurity experience to their roles. In the event that a cybersecurity incident is detected, the IRT performs a multi-factor, risk-based assessment to determine the appropriate level of response. Depending upon the results of the assessment, including the nature and magnitude of the event, our incident response procedures provide for oversight and management of an incident by the IRT, under the direction of the CIO, or, in the event of escalation, under the direction of the executive officers of the Company, with reporting to and oversight by the Audit Committee.