Risk Management and Strategy

We have implemented and maintained various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).

Our IT team helps identify, assess and manage our cybersecurity threats and risks. Our IT team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, manual tools, automated tools, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, engaging third party threat assessments, etc.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, cybersecurity incident response policy, vulnerability management policy, disaster recovery/business continuity plans, security standards, encryption of data, network security controls, data segregation, access controls, physical security, asset management, tracking and disposal, systems monitoring and employee training.

Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, (i) our IT team works with our management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business, and (ii) our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors, which evaluates our overall enterprise risk.

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms including legal counsel, cybersecurity software providers and managed cybersecurity service providers. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes review of security assessment and imposition of information contractual obligations on the vendor. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

Governance

Our board of directors addresses our company’s cybersecurity risk management as part of its general oversight function. The audit committee of the board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

Our cybersecurity risk assessment and management processes are implemented and maintained by certain of our management, including our chief executive officer, our chief operating officer, our chief financial officer and our in-house general counsel. With the experience of setting up servers and firewalls, our senior network engineer is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, and overseeing the operation of our cybersecurity risks and cloud services. With the experience of software programming, our vice president of software department is mainly responsible for supervising our IT and software departments, including helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our vice president of software department reports to our chief executive officer and our chief executive officer is responsible for approving budgets.

Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, (i) our IT team works with our management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business, and (ii) our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors, which evaluates our overall enterprise risk.

Our board of directors addresses our company’s cybersecurity risk management as part of its general oversight function. The audit committee of the board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.