Item 1C — Cybersecurity

Overview and Leadership

The Company maintains a company-wide risk management system focused on detecting, identifying, defending against and mitigating the impact of cybersecurity risks in order to guard our information technology systems and protect the confidentiality, integrity, and availability of our information technology processes and data. Our Board of Directors (the “Board”) is responsible for the oversight of cybersecurity risks, including through the delegation of certain cybersecurity oversight authority to the Audit Committee of the Board.

The Company’s information security function and management team is led by our Vice President of Information Technology and Cybersecurity, who has approximately 38 years of experience in the information technology area and holds the CISM certification, and our Senior Director of Information Technology Infrastructure and Cybersecurity, who has approximately 25 years of experience in the information technology area and holds CISSP, CCSP, CISM, and OSCP certifications.

The information security team is responsible for monitoring, managing and assessing cybersecurity risks and threats on a day-to-day basis. In particular, the information security team monitors, assesses and mitigates threats and is responsible for improving and strengthening the Company’s cybersecurity environment. As discussed below, the information security team works with nationally recognized third parties and licenses various cybersecurity tools and products to assist with assessing and managing cybersecurity risks. The information security team regularly interacts and discusses cybersecurity matters with our Chief Executive Officer, Chief Financial Officer, Chief Operating Officer and General Counsel as part of our company-wide risk management system. The information security team has plans and processes in place to escalate certain cybersecurity issues to senior management and the Board or the Audit Committee, including for consideration of whether, when and how to publicly disclose any material cybersecurity event. In addition, we maintain insurance to help reduce our exposure from potential losses should a cybersecurity incident arise.

The information security team undertakes or engages in the following practices and activities, among others, as part of the Company’s risk management system:

---

Use of Third Parties

The Company has engaged, and intends to continue to engage, nationally recognized third parties to assist the Company in assessing, among other things:

We also have engaged a nationally recognized third party to assist with a tabletop exercise to test our readiness in respect to certain of the preceding events and risks. When risks or threats are identified to the Company by a third party, the information security team is responsible for assessing the risk or threat and determining a course of action to mitigate the risk or neutralize the threat.

Impact of Cybersecurity Events

While no previous cybersecurity incidents have materially affected the Company, a cybersecurity incident could have a material impact on the Company’s results of operations and financial condition. As described above under “Item 1A‒Risk Factors “Technology Disruptions, Failures or Breaches, Hacking Activity, Ransomware Attacks or Other Cybersecurity Events Could Materially and Adversely Affect Our Financial Condition and Results of Operations” a material cybersecurity incident could disrupt our business, lead to the loss of data or cause us to suffer financial damage, in addition to litigation or remediation costs or penalties.

Governance Overview

The Board oversees cybersecurity risk through multiple methods. The Audit Committee of the Board has been delegated certain cybersecurity oversight responsibility and, among other things, receives quarterly updates and presentations from the information security team regarding the Company’s cybersecurity environment, cybersecurity risks and threats, cybersecurity projects the Company has implemented and plans to implement and other cybersecurity developments, and such committee reports to the full Board after each meeting. In addition to these quarterly reports to the Audit Committee, the information security team provides a presentation to the Board at least annually regarding the same topics covered with the Audit Committee. In addition, members of the Company’s internal audit team have certain responsibilities with respect to projects designed to test the Company’s cybersecurity controls and improve the overall cybersecurity environment.

The Company also has a Risk Assessment Committee composed of selected members of senior management. Member(s) of the information security team are members of this Risk Assessment Committee (which occur at least quarterly) to address cybersecurity risks and discuss cybersecurity threats to the Company. Member(s) of the information security team have the opportunity to present at the Risk Assessment Committee meetings and raise issues and concerns regarding cybersecurity. The minutes of Risk Assessment Committee meetings are provided to the Board and the General Counsel discusses with the Board the matters addressed at the applicable Risk Assessment Committee meeting.