Item 1C. Cybersecurity

Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods, including conducting scans of the threat environment and conducting threat and vulnerability assessments. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats, including risk assessments,

---

incident detection and response, end-point detection and response, network security controls, access controls, physical security, systems monitoring, a vendor risk management program, and penetration testing. We work with third parties (including professional services firms, threat intelligence service providers, and penetration testing firms) from time to time that assist us to identify, assess, and manage cybersecurity risks.

Our information security team reviews enterprise level cybersecurity risks at least annually, and key cybersecurity risks are identified, tracked, monitored, and addressed in alignment with our overall enterprise risk management program.

We utilize third-party service providers to perform certain business functions. We seek to engage reliable and reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, we may review the cybersecurity practices of such provider, contractually impose obligations on the provider, conduct information security risk assessments, and conduct periodic reassessments during their engagement.

We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We are subject to cyber-security risks, including risks related to customer, employee, vendor, and other company data” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

 

Governance

The Audit Committee is responsible for overseeing risks from cybersecurity threats, in accordance with its charter. The Audit Committee holds quarterly meetings and receives periodic reports from our Vice President – Information Technology (Chief Information Officer) concerning our significant cybersecurity threats and risks, and the processes we have implemented to address them.

Management plays an important role in assessing and managing our material risks from cybersecurity threats. Our Vice President – Information Technology (Chief Information Officer) is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Audit Committee. He has over a decade of experience leading cybersecurity oversight, and leads other members of our information security team, who have professional cybersecurity experience, training, or certifications.

We maintain a cyber incident response plan that is designed to provide a framework that will allow us to respond effectively to a cybersecurity incident. A cyber emergency response team, which includes members of our executive leadership team, manages this plan. Beginning in fiscal 2024, this team began meeting monthly to discuss cybersecurity threat trends and related information. Our incident response processes are designed to escalate certain cybersecurity incidents to our cyber emergency response team and include reporting to the Audit Committee for certain cybersecurity incidents.

We view cybersecurity threats as a shared responsibility. All new employees with company email addresses receive cybersecurity training as part of their onboarding, as well as annual training. We also periodically publish a cybersecurity newsletter to these employees related to topics such as phishing, social engineering, and insider-threat awareness.

---