Cybersecurity

We understand the importance of identifying, assessing, and managing risks related to cybersecurity threats and data protection. We acknowledge the potential adverse effects of cybersecurity incidents on our business. As part of our enterprise risk management program, cybersecurity risks are evaluated alongside other company risks within the broader risk assessment process. Our data security plan incorporates a specialized cybersecurity risk assessment process, which helps us identify potential risks by benchmarking our procedures against National Institute of Standards and Technology (NIST) standards and engaging third-party experts to test the security of our information systems. Key aspects of our risk management program include:

• Monitoring Regulatory Changes: We monitor emerging data protection laws and, if necessary, implement changes to our policies and employee training processes.
• Cybersecurity Policy Reviews: We regularly review and update (when applicable) our policies and procedures related to cybersecurity.
• Security Tools and Response Exercises: We use various tools, such as network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to assist in risk identification and assessment. We then use these findings (where applicable) to enhance our processes and technologies.
• Employee Training: We conduct annual cybersecurity awareness training for all employees with computer access, as well as specific training for those who handle sensitive data or are involved in cybersecurity management.
• Expert Collaboration: We work with third-party subject matter experts to assess cybersecurity threats, their severity, and potential mitigation strategies.
• Safeguard Third-Party Data: Through policy, practice, and contracts (as applicable), we require employees, as well as third parties providing services on our behalf, to treat customer information and data with care.
• Use of Third-Party Service Providers: As cybersecurity considerations affect the selection and oversight of our third-party service providers, we also conduct pre-engagement assessments for third-party providers based on the sensitivity of the data they handle and annually review SOC 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing company or employee data.
• Phishing Simulations: Regular phishing simulations help employees recognize and respond to potential email threats, with additional training provided, as necessary.
• NIST Framework: We leverage the NIST incident handling framework to guide our responses to actual or potential cybersecurity incidents, covering identification, protection, detection, response, and recovery.