Item 1C. Cybersecurity.

 

Risk Management and Strategy

 

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program based on ISO 27002 standards. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the ISO 27002 as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We engage external resources that contribute to, and provide independent evaluation of, our existing cybersecurity practices and organizational risk assessment systems. We use established processes designed to identify, assess, and manage third-party service provider risks when third parties handle, possess, process, and store the Company’s material information. Our cybersecurity risk management program includes (i) a policy designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; (ii) the use of external service providers to manage, assess, test and otherwise assist with aspects of our security controls; and (iii) a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, there can be no assurance that our cybersecurity prevention and mitigation efforts will always be successful, and it is possible that cybersecurity threats could have a material adverse effect on our business, operations, or financial condition in the future.

 

Governance

 

Our board of directors administers its cybersecurity risk oversight function through its audit committee. The audit committee is responsible for overseeing our policies, practices and assessments with respect to cybersecurity, and provides periodic updates to our board of directors. The audit committee receives periodic updates from management and our external third party information technology consultant regarding the effectiveness of the systems and processes we have implemented designed to safeguard our information assets and operational integrity from cyber threats, protect employee information from unauthorized access or attack, as well as secure our networks and systems, and regarding other cybersecurity matters, including the results from cybersecurity systems testing and any recent cybersecurity incidents and related responses. Our audit committee is also notified between such updates as soon as practicable regarding significant new cybersecurity threats or incidents. The audit committee also receives a report on cybersecurity matters and related risk exposures periodically from our Chief Financial Officer.