ITEM 1C.CYBERSECURITY

Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems are necessary for the operation of our business. We use these systems, among others, to manage our product development and manufacturing, to communicate internally and externally, to operate our accounting and record-keeping functions, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data.

Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, violation of data privacy or security laws, litigation, and legal, financial and reputational risk.

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical systems and our proprietary, strategic or competitive data. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data, including risk

---

assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, vendor risk management program and employee training. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We have an incident response process that relies on a multidisciplinary team for assessing and managing cybersecurity incidents, including an escalation framework based on the materiality of incidents. The multidisciplinary team includes members of our IT security function, executive management of our legal, finance, human resources, corporate communications and internal audit/risk functions and third party service providers of technical, legal and insurance services, as well as coordination with law enforcement as appropriate. Our IT security function also addresses cybersecurity threats through regular vulnerability reviews, risk registry reviews and global team meetings.

Our information security processes are integrated into our overall enterprise risk management (“ERM”) process and system. Our ERM process relies on designated risk managers to identify and assess material risks from cybersecurity threats. The risk managers form a multidisciplinary group including members of our IT security, finance, human resources and legal functions, operations and executive management, and are responsible for timely reporting of risks on an ongoing basis. Our ERM process includes an annual evaluation and ranking of the top risks captured in our ERM system against leading third party benchmark reports on global risks.

We work with third parties from time to time that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, consulting firms, threat intelligence service providers, and penetration testing firms.

To operate our business, we utilize certain third-party service providers to support a variety of functions. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement.

Our systems periodically experience directed attacks that may be intended to lead to financial loss, interruptions and delays in our operations as well as loss, misuse or theft of personal information (of third parties, employees, and other stakeholders) and other data, confidential information or intellectual property. However, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk factors” in this annual report on Form 10-K, including “Security breaches and other disruptions to our information technology networks and systems, including a disruption related to cybersecurity, could interfere with our operations and could compromise the confidentiality of our proprietary information or personal information”, for additional discussion about cybersecurity-related risks.

Governance

Our Board of Directors holds oversight responsibility for the Company’s strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.

The Audit Committee of the Board of Directors (the “Audit Committee”) oversees the quality and effectiveness of the control and enterprise risk management processes of systemic risks, including cybersecurity, in accordance with its charter. The Audit Committee receives reports and engages in regular discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and reasonably manage these risks, including those that may result from material cybersecurity threats. The Audit Committee also receives reports on material cybersecurity and data privacy incidents (if any), which would include plans to mitigate and respond to such incidents, and status on key information security initiatives. These discussions include the Company’s enterprise risk assessment and risk management policies.

The Technology Committee of the Board of Directors oversees the management of risks associated with the Company’s products and technologies, including cybersecurity risks related to new product technologies or significant innovations to existing product technologies, in accordance with its charter.

---

Our Vice President & Chief Information Officer (the “CIO”) leads our global information security organization and reports to the Board of Directors on matters related to cybersecurity on behalf of the Company’s management. Our CIO has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at large industrial and technology companies.

Our CIO leads an internal IT Security Committee that meets regularly to oversee company-wide efforts to address cybersecurity threats, to assess the effectiveness of our information security program and to prioritize efforts to improve our security measures and planning. Our IT Security Committee includes members of our IT security function and executive management of our legal, finance and internal audit/risk, human resources and corporate communications and technology functions.