ITEM 1C. CYBERSECURITY

 

We face significant and persistent cybersecurity risks due primarily to: the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services and components. We are committed to maintaining strong governance and oversight of these risks and to implementing mechanisms, controls, technologies and processes designed to help us assess, identify and manage these risks. While we have not, as of the date of this Annual Report, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We seek to detect and investigate unauthorized attempts and attacks against our network, products and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats.

We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies and other processes to assess, identify and manage material cybersecurity risks. Our cybersecurity program is designed to be aligned with applicable industry standards and is assessed periodically by independent third parties. We have processes in place to assess, identify, manage and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our business, and have processes to assess those issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements upon our suppliers, including maintaining an effective security management program and abiding by information handling and asset management requirements. We have an escalation process in place to inform senior management and the Board of Directors of these material issues.