Cybersecurity risk assessment and management processes

The process of assessing and managing risks in the realm of cybersecurity involves systematically identifying potential security threats to the Company’s information systems and data. It encompasses activities such as identifying vulnerabilities, evaluating the likelihood and impact of potential risks, and implementing measures to minimize those risks. The objective is to enhance the security posture of information systems and protect valuable data by effectively understanding and addressing potential risks.

Integration with Overall Risk Management:

Our cybersecurity risk management processes are incorporated within our comprehensive corporate risk management framework. This integration guarantees that cybersecurity risks receive equal attention and scrutiny as other risks within the organization. By applying the same level of rigor and priority, we ensure that cybersecurity risks are identified, assessed, and addressed effectively, aligning with our overall risk management approach.

When conducting regular risk assessments within the corporate risk management framework, cybersecurity risks are explicitly considered alongside other types of risks. The assessment process involves evaluating potential threats and vulnerabilities to the Company’s information systems, networks, and data assets. This may include analyzing the adequacy of security controls, reviewing incident response plans, and assessing the Company’s compliance with relevant cybersecurity standards and regulations. By integrating cybersecurity risk management into the broader risk management framework, the Company ensures that cybersecurity risks are not overlooked or treated as an isolated concern, but rather receive the same level of attention and priority as other risks impacting the Company’s overall objectives and operations.

Use of Third Parties

To continuously improve our cybersecurity measures, we actively collaborate with third-party assessors and consultants who regularly review and enhance our security practices. By partnering with these external experts, we ensure that our cybersecurity measures remain aligned with industry standards and best practices. These collaborations enable us to stay well-informed about emerging threats, incorporate the latest security technologies, and implement robust controls to safeguard our systems and data.

Third-Party Service Providers

We have implemented rigorous processes to effectively manage and oversee the risks associated with our third-party service providers. These processes include regular security assessments and audits to evaluate the security posture of the cybersecurity system. We also require our third-party service providers to adhere to our established security standards and protocols. By enforcing these measures, we ensure that our cybersecurity system maintains a high level of security and align with our risk management objectives. This approach helps mitigate potential vulnerabilities and safeguards the Company’s sensitive information and assets.

Impact of Cybersecurity Threats

Cybersecurity threats can have significant impacts on the Company as a whole.

Potential financial loss caused may by cybersecurity vulnerabilities.

Cybersecurity incidents can result in substantial financial losses for the Company. This includes direct costs such as incident response, investigation, and recovery expenses, as well as indirect costs like reputational damage, loss of customer trust, and potential legal liabilities. Financially motivated cyber threats such as ransomware attacks can also lead to extortion demands and financial disruption.

To prevent the potential financial loss caused by cybersecurity vulnerabilities, we establish robust security controls across the Company’s network, systems and applications. This includes using firewalls, intrusion detection and prevention systems, antivirus software and multifactor authentication.

Threats on data breaches and information loss

Cybersecurity threats can lead to unauthorized access, theft, or exposure of sensitive data. This can include personally identifiable information, financial records, intellectual property, trade secrets, and confidential business data. Data breaches can result in reputational damage, regulatory penalties, lawsuits, and loss of competitive advantage.

To reduce the risk of data breaches and information loss, we implement strong access controls. We ensure that access to sensitive data is granted only to authorized individuals and employee. We have implemented strong authentication mechanisms, such as multifactor authentication, and have enforced the principle of least privilege, providing users with access only to the data they need to perform their job responsibilities.

Threats on cyberattacks on operational disruption

Cyberattacks can disrupt the Company’s operations, leading to downtime, service disruptions, or system failures. This can impact productivity, customer service, and overall business continuity. Critical infrastructure sectors, such as energy, healthcare, and transportation, are particularly vulnerable to cyber threats, and attacks targeting them can have severe societal consequences.

We conduct employee training and awareness programs which can educate employees about cybersecurity best practices, including recognizing and reporting suspicious activities, social engineering, and phishing attempts. Regular training programs and awareness campaigns help foster a security-conscious culture within the Company.

We maintain constant vigilance in monitoring our vulnerability to cybersecurity threats and evaluating their potential consequences on our operations. Thus far, our proactive measures and preparedness to address potential risks have successfully prevented any significant disruptions caused by cybersecurity incidents.

Our Board maintains active involvement in overseeing the management of cybersecurity threats and risks. The responsibility for cybersecurity oversight has been specifically delegated to the Audit Committee, as outlined in the Audit Committee’s charter and its review of the risk management framework. The Audit Committee receives regular updates on cybersecurity risks, as well as information regarding the security and operations of our information technology systems, from the third-party assessors and consultants.

Throughout 2023, the Audit Committee received comprehensive briefings on information security matters during all of its scheduled meetings with our information technology team, third-party assessors and consultants. This session provided an overview of the information security landscape.

Apart from the information shared in these meetings, our Board members have access to internal and external educational resources pertaining to cybersecurity risks. Additionally, we benefit from the expertise of a Board member who possesses significant experience in managing cybersecurity companies.