Conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in our businesses. Like other comparable-sized companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. For more information about these and other cybersecurity risks faced by us, see Part 1. Item 1A. Risk Factors.
Our Board has ultimate oversight for risks relating to our data security plan. In addition, the Board has delegated primary responsibility to the Audit Committee for assessing and managing data privacy and cybersecurity risks, reviewing data security and cybersecurity policies and processes with respect to data privacy and cybersecurity risk assessment and management, reviewing steps management has taken to monitor and control such risks, and regular inquires with our management team, internal auditors and independent auditors in connection therewith. The Audit Committee is also responsible for overseeing our investigation of, and response to, any cybersecurity attacks or threats.
We also have a dedicated team of employees overseeing our data security plan and initiatives, led by our Vice President of Information Systems (who has over twenty years’ experience working in cyber and information security roles with large companies), and works directly in consultation with internal and external advisors in connection with these efforts.
We have developed a procedure by which the Board and management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Our Incident Response Team, comprised of representatives of different departments within the Company, including the Vice President of Information Systems, works to identify cybersecurity-related incidents, and reports such incidents, along with any pertinent recommendations to update cybersecurity policies and procedures, to our management team. Our management team regularly reports to the Audit Committee, and more frequently as needed on such matters. The Audit Committee and management also provide an annual report to the Board on pertinent cybersecurity matters.