Cybersecurity

We understand the importance of identifying, assessing, and managing risks related to cybersecurity threats and data protection. We acknowledge the potential adverse effects of cybersecurity incidents on our business. As part of our enterprise risk management program, cybersecurity risks are evaluated alongside other company risks within the broader risk assessment process. Our data security plan incorporates a specialized cybersecurity risk assessment process, which helps us identify potential risks by benchmarking our procedures against National Institute of Standards and Technology (NIST) standards and engaging third-party experts to test the security of our information systems. Key aspects of our risk management program include:

• Monitoring Regulatory Changes: We monitor emerging data protection laws and, if necessary, implement changes to our policies and employee training processes.
• Cybersecurity Policy Reviews: We regularly review and update (when applicable) our policies and procedures related to cybersecurity.
• Security Tools and Response Exercises: We use various tools, such as network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to assist in risk identification and assessment. We then use these findings (where applicable) to enhance our processes and technologies.
• Employee Training: We conduct annual cybersecurity awareness training for all employees with computer access, as well as specific training for those who handle sensitive data or are involved in cybersecurity management.
• Expert Collaboration: We work with third-party subject matter experts to assess cybersecurity threats, their severity, and potential mitigation strategies.
• Safeguard Third-Party Data: Through policy, practice, and contracts (as applicable), we require employees, as well as third parties providing services on our behalf, to treat customer information and data with care.
• Use of Third-Party Service Providers: As cybersecurity considerations affect the selection and oversight of our third-party service providers, we also conduct pre-engagement assessments for third-party providers based on the sensitivity of the data they handle and annually review SOC 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing company or employee data.
• Phishing Simulations: Regular phishing simulations help employees recognize and respond to potential email threats, with additional training provided, as necessary.
• NIST Framework: We leverage the NIST incident handling framework to guide our responses to actual or potential cybersecurity incidents, covering identification, protection, detection, response, and recovery.

CYBERSECURITY INCIDENT RESPONSE PROCESS

Our incident response plan outlines the steps we take to prepare for, detect, respond to, and recover from cybersecurity incidents. This process includes assessing severity, escalating, containing, investigating, and remediating incidents, while ensuring compliance with applicable legal obligations and protecting our brand reputation. As part of this process, we regularly engage with third-party assessors and consultants to review and improve our cybersecurity program, focusing on compliance and areas for improvement. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity specific risk identification program.

OVERSIGHT OF CYBERSECURITY RISK

Our cybersecurity risk management strategy is led by the Information Technology Director (IT Director) and the Director of Information Security (IS Director). The IT Director reports directly to the Chief Financial Officer, ensuring timely notification of significant cybersecurity incidents to the senior management team. The management team and the enterprise risk committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents, including the operation of our incident response plan. The enterprise risk committee review cybersecurity risk management as a component of our overall enterprise risk management. The audit committee of the board of directors is responsible for the oversight of the company’s enterprise risk management program. The audit committee’s oversight includes reviewing and discussing with management (at least annually) management’s report on assessment of risk exposure and risk management, the processes in place to identify and manage significant risks, steps taken by management to control or mitigate such exposures, and management’s report on cybersecurity risk management, which includes strategies to mitigate data protection and cybersecurity risks. Additionally, the IT Director reports at least annually to the audit committee on cybersecurity threat risks, and our Chief Executive Officer reports regularly to the chair of our board of directors, and the full board of directors about emerging threats to our operations.