As a company selling products, including those for defense applications, we may be the target of cyber-attacks from a variety of threat actors. Cybersecurity threats include attacks on, or other attempts to infiltrate, our information technology (IT) infrastructure and the IT infrastructure of our customers, suppliers, subcontractors and other third parties, attempting to gain unauthorized access to our confidential or other proprietary information, classified information, or information relating to our employees, customers, and other third parties, or to disrupt our systems or the systems of our customers, suppliers, subcontractors, and other third parties. Cybersecurity threats also include attempts to infiltrate our products or services, including attacks targeting the security, confidentiality, integrity and/or availability of the hardware, software and information installed, stored or transmitted in our products, including after the purchase of those products and when they are incorporated into third-party products, facilities, or infrastructure.

Our Cybersecurity Program.

Our products and services are normally classified as EAR 99 by the U.S. government, but our defense customers generally require compliance with the International Traffic in Arms Regulation (“ITAR”). Moreover, our products sold for defense applications are integrated with our customers’ products and these customers may provide us with Controlled Unclassified Information (CUI) that requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies. Given the nature of our business and the cybersecurity risks we face, we have instituted cybersecurity measures for identifying, assessing, and managing cybersecurity risks, which include material risks from cybersecurity threats to our internal systems, our products, services and programs for customers, and our supply chain.

The goals of our enterprise cybersecurity program align with the National Institute of Standards and Technology (NIST) standards, among others. The program includes processes and controls for the deployment of new IT systems by the Company and controls over new and existing system operations. We, or contracted third parties, monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees to complete data security training, and we regularly conduct simulated phishing and cyber-related communications.

Incident Response.

Our cybersecurity program includes monitoring for potential security threats that may lead to vulnerabilities. We evaluate and assign severity levels to incidents, escalate and engage an incident response team based on severity, and manage and mitigate the related risks. Incidents are reported internally to members of senior management and/or the Board of Directors as appropriate based on severity and incident type and are also analyzed for external reporting requirements. Our incident response process is also designed to coordinate functions to enable continuity of essential business operation in the event of a cyber crisis.

Third Party Service Providers.

We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program’s risk prevention and protection measures, and process execution including incident detection, investigation, analysis and response, eradication, and recovery. Our Chief Financial Officer and Vice President of Engineering meet regularly with third party service providers to review their performance and progress towards our cybersecurity initiatives.

Program Assessment.

We continuously evaluate and seek to improve and mature our cybersecurity processes against government standards. Our cybersecurity program is regularly assessed through management self-evaluation and ongoing monitoring procedures to evaluate our program effectiveness, including assessments associated with internal controls over financial reporting as well as vulnerability management through active discovery and testing to validate patching and configuration. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements and an overall assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall health of our program and target improvement areas.