Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing cybersecurity risks, including risks from cybersecurity threats that could be material to the Company, and have integrated these processes into our overall risk management systems and processes. We routinely assess cybersecurity threats, including any potential unauthorized occurrence on or conducted

through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein and the data we process, store, or transmit.

We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF and AI Risk Management Framework) and seek to follow industry best practices to identify, assess, and manage cybersecurity risks relevant to our business. While we use these frameworks to help evaluate and enhance our controls and processes, we do not represent that our program fully satisfies any particular technical standard, specification, or requirement. We conduct annual risk assessments to identify cybersecurity threats to our critical systems, information, services, and our broader enterprise IT environment. These risk assessments include identifying reasonably foreseeable potential internal and external risks, the likelihood of occurrence and any potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, controls, and other safeguards in place to manage such risks. As part of our risk management process, we may engage third party experts to help identify and assess risks from cybersecurity threats. Our risk management and assessment process also encompasses cybersecurity risks associated with our use of third-party service providers.

As part of our overall risk management and assessment program, we design, implement, and maintain reasonable safeguards to minimize potential risks, including cybersecurity risks; reasonably address any identified gaps in existing safeguards; update existing safeguards as necessary; and monitor the effectiveness of our safeguards which may include, as appropriate: (i) vulnerability management (including patching, configuration management, and remediation tracking); (ii) security monitoring and detection designed to identify anomalous activity; (iii) access controls and identity management practices intended to support least-privilege access; (iv) data protection practices (including, where appropriate, encryption and backup processes); (v) incident response planning and readiness activities, including tabletop exercises and lessons-learned reviews; and (vi) business continuity and disaster recovery planning for certain systems and processes. We also regularly provide cybersecurity awareness training to our employees at all levels and departments across the Company. The Company believes that we have allocated adequate resources to address the cybersecurity threats that may reasonably affect us. We evaluate our resourcing and investments in cybersecurity on an ongoing basis in light of our risk profile, business needs, and the evolving threat landscape.

Our cybersecurity team, consisting of our Vice President of Information Technology and our Information Security Officer manage the Company’s cybersecurity risk assessment as well as mitigation process and also oversee our Incident Response Team which also includes Vice Presidents of Legal, Human Resources and Tax. The Company also participates in a cybersecurity risk insurance policy, intended to help mitigate certain losses and expenses associated with cybersecurity incidents; however, such insurance may not cover all losses or all types of claims.

In July 2024, we experienced a cybersecurity incident involving unauthorized access to certain systems, which required us to implement containment and mitigation measures. Although we acted promptly and effectively to address the issue, the incident led to temporary interruptions in our business operations, including impacts to production and order fulfillment at some of our facilities. Additionally, in September 2024, we experienced another, albeit negligible, cybersecurity incident that similarly required containment actions out of an abundance of caution. Although the September incident had a minimal impact on our operations, it underscores the persistent and evolving nature of cybersecurity risks we face. We believe the impacts of these cybersecurity incidents, either measured together or individually, were not material to our financial condition or results of operations. In addition, we do not believe that risks from cybersecurity threats have materially affected our business strategy, financial condition, or results of operations. However, there is no guarantee that future cybersecurity incidents will not have a material impact in the future.

For additional information regarding cybersecurity threats that may materially affect the Company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K , including the risk factors entitled “We may be subject to disruptions, failures or cyber-attacks in our information technology systems and network infrastructures that could disrupt our operations, damage our reputation and adversely affect our business, operations, and financial results,” and “We rely on information technology systems, including third-party cloud-based solutions, and any failure of these systems, including, without limitation, due to outages and/or cyberattacks, may result in disruptions or outages, loss of processing capabilities, and/or loss of data, any of which may have a material adverse effect on our business, operations, and financial results.”

We have established policies and processes for assessing, identifying, and managing cybersecurity risks, including risks from cybersecurity threats that could be material to the Company, and have integrated these processes into our overall risk management systems and processes. We routinely assess cybersecurity threats, including any potential unauthorized occurrence on or conducted

through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein and the data we process, store, or transmit.

Governance

One of the functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board of Directors is responsible for overseeing and assessing strategic risk exposure, and our executive

officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole and through its committees. In particular, the Audit Committee of our Board of Directors plays a large role in overseeing and assessing our financial, legal and operational risks, and receives reports from the management team regarding organizational risk as well as particular areas of concern, which includes, but is not limited to cybersecurity risks, related mitigation, and other related responses and activities. Material cybersecurity matters are escalated to the Board and/or the Audit Committee based on their nature, scope, and potential impact.

Our Vice President of Information Technology and our Information Security Officer are primarily responsible for assessment and management of material risks from cybersecurity threats.

Our VP of Information Technology oversees key cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our Board of Directors and Audit Committee are informed at least annually about the Company’s policies and processes to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. In addition, the VP of Information Technology will also report any cybersecurity risks and activities including but not limited to any cybersecurity threats and related responses and any cybersecurity systems testing.