Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

The Company is committed to maintaining a robust cybersecurity risk management program designed to identify, assess, and mitigate cybersecurity risks, including those related to data breaches, phishing, ransomware, insider threats, third-party relationships, software vulnerabilities, regulatory compliance, cloud security, artificial intelligence, and end-user computing. We are constantly evolving our cyber defenses to prevent and minimize impacts from cyber threats by using a multi-pronged approach that helps safeguard our assets and data.

We maintain and process a range of sensitive information, including Personally Identifiable Information (PII), Protected Health Information (PHI), financial data, intellectual property, and other regulated or proprietary information. Our cybersecurity management program is designed to protect confidentiality, integrity, and availability of information systems and sensitive data. The program is aligned with cybersecurity frameworks and governance standards such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and NIST SP 800-53, and the International Organization of Standardization (ISO) 27001 information security management system framework as a structured approach to identifying, assessing, and mitigating cyber risk. Our cybersecurity management program includes the following elements:

Policies and Procedures: Processes are documented to formalize the implementation of the cybersecurity program.

Continuous Monitoring: Use of automated tools and third-party services for real-time threat detection, vulnerability scanning, penetration testing, and incident alerting.

Security Incident Response Plan: A formal plan that includes containment, eradication, recovery, and communication protocols.

Third-Party Risk Management: We assess the cybersecurity posture of third-party suppliers, vendors, and other partners through due diligence, including assessments at the initiation of the relationship and on an ongoing basis appropriate to the cyber risk.

Training and Awareness: All Kestra team members, including senior management, receive mandatory cybersecurity training and periodic phishing simulations.

Periodic risk assessment: We periodically re-assess the cybersecurity program for continuous improvement and to account for emerging risks.

In the event of a cybersecurity incident, our incident response team refers to the Company’s Security Incident Response Plan. Pursuant to this process, designated personnel are responsible for assessing the severity of the incident and any associated threats, containing and resolving the incident as quickly as possible, managing any damage to the Company’s systems and networks, minimizing the impact on the Company’s stakeholders, analyzing and executing upon internal reporting obligations, escalating information about the incident to senior management, as appropriate, and performing post-incident analysis and program enhancements, as needed.

All Kestra team members participate in quarterly security awareness training, such as phishing tests as well as mandatory annual Security Awareness and HIPAA Covered Entity training to keep pace with industry standards, evolving challenges, and innovative solutions with respect to information security, data privacy, and cybersecurity risks to the Company. With respect to artificial intelligence, the Company has identified the potential exposure of trade secrets and protected health information to open large language models as a risk, accordingly an Artificial Intelligence Acceptable Use Policy has been implemented, and all Kestra team members have been trained on its requirements.

As of the date of this Annual Report, the Company has not experienced any material cybersecurity incidents. Cybersecurity risks that are not currently known to the Company, or that are currently deemed immaterial, could materially affect the Company’s business, operations, or financial condition in the future.

We describe risks faced by us from identified cybersecurity threats in Item 1A, “Risk Factors—Risks Related to Our Business—Security breaches, loss of data, unauthorized uses or disclosures, and other disruptions involving our systems, products or data could compromise sensitive information related to our business or patients, result in operational disruption, or prevent us from accessing critical information, exposing us to liability, and adversely affecting our business, financial condition, results of operation and prospects.”

Governance

In addition to full time staff with cybersecurity responsibilities, we engage qualified third-party partners, including assessors, auditors, consultants and other entities to support our cybersecurity processes for security engineering, security monitoring, incident response, security assessments, and independent audits of cybersecurity controls. Third-party partners work under the direction of the CIO or their designee.

The Audit Committee of our Board of Directors is responsible for oversight of the Company's programs, policies, procedures, and risk management activities related to information security and data protection. The Audit Committee receives regular briefings on cybersecurity matters from the CIO, including updates on material risks, cyber incidents, cyber program maturity, and ongoing improvements. The CIO prepares regular updates on Cybersecurity, which are integrated into the Board of Directors’ broader oversight of enterprise risk management, and any material cyber risk is treated as part of overall business and risk management strategy.

The Company’s Chief Information Officer (CIO) has primary responsibility for the Company’s cybersecurity program and manages the implementation of the cybersecurity risk management strategy, coordinating efforts across technical and operational functions. Our CIO has over 12 years of experience leading information security functions, including over seven years with the Company in roles of increasing seniority. Cybersecurity oversight is coordinated through the Security Council, which meets regularly and consists of cross-functional leaders. The Security Council is advised by the CIO and the Director of Information Security and Compliance on strategic cybersecurity initiatives, emerging threats, and risk posture. The Security Council formulates our cybersecurity policies and determines the priorities of our risk management plan. The information security team, led by the CIO, executes the plan, uses automated tools, follows procedures to monitor and respond to cyber threats, and subscribes to reports and services to stay current on the threat landscape.