At GreenTree, our cybersecurity risk management program is an important component of our overall enterprise risk management program. Our cybersecurity risk management program is designed to be consistent with industry practices and provides a framework for addressing cybersecurity threats and incidents, including those related to the use of applications and services provided by third-party service providers. The program also facilitates coordination between different departments in our company. Our cybersecurity risk management program includes the following processes: (i) assessing the severity of cybersecurity threats, (ii) identifying the sources of cybersecurity threats (including whether they are associated with third-party service providers), (iii) implementing cybersecurity countermeasures and mitigation policies and (iv) notifying management of significant cybersecurity threats and incidents. Our cybersecurity team also works with third-party security experts to perform risk assessments and system enhancements. In addition, our cybersecurity team provides annual training.

Our management is responsible for identifying, considering and evaluating cybersecurity risks, establishing ongoing monitoring processes to ensure that potential cybersecurity risk exposures are monitored, and implementing appropriate mitigation measures and maintaining cybersecurity procedures. In particular, we have established a cybersecurity management group, or Cybersecurity Management Group, composed of professionals from our internal audit department, information technology center, and public affairs department to improve data security. The Cybersecurity Management Group is responsible for formulating data security and personal information protection strategies, plans, systems and specifications, providing necessary support, coordinating and making decisions on major data security incidents. Our cybersecurity procedures are conducted under the direction of our Cybersecurity Management Group, which oversees, mitigates and remediates cybersecurity incidents.

As of the date of this annual report, we have not experienced any significant cybersecurity incidents and have not identified any cybersecurity threats that could have a material impact on us, our business strategies, results of operations or financial condition.

We are subject to evolving government regulations and other legal obligations related to privacy, cybersecurity, information security and data protection, which are subject to change and subject to uncertainty in interpretation. Failure to comply with these governmental regulations and legal obligations could subject us, our employees and our business partners to significant reputational, financial, legal and operational consequences.