ITEM 1C. Cybersecurity

Risk Management and Strategy

We are focused on the growing threat of cybersecurity risks we face in today’s global business environment and have identified cybersecurity as an important enterprise risk. Our cybersecurity risk management program is part of our overall enterprise risk management program, and focuses on identifying, assessing, managing, and remediating material risks from cybersecurity incidents. We rely on risk-based security controls, including access limitations and contractual requirements on third-party service providers, as part of our overall approach of protecting the integrity, availability and confidentiality of our important systems and information. We have an established incident response plan (“IRP”) to respond to cyber incidents.

The Company follows the U.S. National Institute of Standards and Technology ("NIST") Cyber Security Framework to structure protocols for identifying, assessing and managing cybersecurity risks. In accordance with NIST guidance, we maintain documented information security policies and standards to protect operations, assets, data and services and to defend against, respond to and recover from potential cyber attacks.

These policies and standards include both preventive measures and reactive processes. Preventive measures include, but are not limited to, protective and detective cybersecurity systems, security monitoring, threat hunting and mandatory, enterprise-wide employee training. Our reactive processes are captured primarily by the IRP, which is comprised of an evolving set of procedures developed by cross-functional experts, and external consultants, who draw upon technical proficiency and learnings from past experiences. All these procedures and practices are tailored to our technology environment and are refined iteratively. Further, we have an information risk management program that includes a vendor risk assessment process, whereby we systematically oversee and identify risks from cybersecurity threats related to its use of third-party service providers.

The IRP is executed by an Incident Response Team ("IRT"), led by our Information Systems Director. The exact composition of the IRT varies depending on the severity and potential impact of an incident and will typically include internal IT professionals and stakeholders across corporate and business functions. The team collaborates with internal experts and may engage external resources to assess and contain a threat if deemed necessary. Such external resources may potentially include forensic investigation and response firms, law firms, forensic accountants, and consultants who are on retainer contracts for expedited availability.

While cybersecurity threats remain a risk to the Company’s business operations, our risk mitigation strategies have been effective to date. Accordingly, no such threats have materially affected our business strategy, results of operations or our financial condition in the past three fiscal years. Despite our cybersecurity policies and practices, we may not be successful in preventing or mitigating a cybersecurity incident resulting in a material adverse effect. For more information regarding how cybersecurity threats could materially affect our business strategy, results of operations or financial condition, see the business and operational risk factor: We rely heavily on information technology systems that, if not properly functioning, could materially adversely affect our business in Item 1A, Risk Factors.

Governance

Our Board of Directors has overall responsibility for enterprise risk management and has delegated the oversight of cybersecurity risks to the Audit Committee. The Company’s Chief Financial Officer ("CFO") immediately updates the Audit Committee on any significant cybersecurity incident and/or threat that may require an 8-K filing. Furthermore, the CFO reports quarterly to the Audit Committee on any significant cybersecurity incidents, threats, mitigation strategies and controls at each Audit Committee meeting. The Audit Committee then updates the full board on significant matters raised and discussed during these sessions. These updates include the following: