We have a comprehensive approach to mitigate cybersecurity risk which primarily focuses on three key elements:

Cybersecurity governance is supported by our information technology department which includes certified security professionals and seasoned security analysts. This department conducts an extensive periodic review of our security initiatives to assess the current state of our program (using a cybersecurity framework) and potential evolution based on current business risks along with detection and communication of cybersecurity threats and actions to mitigate those threats. Cybersecurity incidents meeting a pre-determined minimum threshold are communicated to a separate committee comprised of officers charged with reporting responsibilities to determine overall materiality and disclosure obligations.

We have engaged an independent third-party operations center that is focused on, among other things, monitoring alerts, logs, behavior analytics and end devices usage. This continuous monitoring is in conjunction with periodic security assessments, constant vulnerability scanning and frequent penetration tests. We also complete an initial vendor cybersecurity review process for new cloud-based software which provides a standardized review assessment. We monitor known third-party breaches, known software vulnerabilities that may affect third-party vendors and communicate as necessary with those vendors allowing us to increase security of our technology assets and our data.

Our board of directors oversees our cybersecurity risk and receives a quarterly cybersecurity report and an update from management which includes additional discussions of any relevant issues related to the understanding of technology and cybersecurity risk that may be relevant at any given time. This report includes, among other things, information regarding our current security posture and on-going cybersecurity events. Cybersecurity incidents meeting a pre-determined minimum threshold are communicated to our Board.