Risk Management and Strategy

Information technology (“IT”), digital information and automation are essential components of the Company’s operations and growth strategy. The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard information systems and protect the availability, integrity and confidentiality of our data. The Cybersecurity Risk Management & Oversight Committee (consisting of the Senior Vice President of Business Applications & Digital Transformation, Vice President of IT, a member of our IT department, a senior member of our Legal department, and a member of Operations) sets IT risk strategy and makes risk-informed decisions related to our technology, which includes the assessment and response to cybersecurity risk. For purposes of this Item 1C disclosure, we refer to the Cybersecurity Risk Management & Oversight Committee as the “Cybersecurity Committee.”

The Company has integrated cybersecurity into its broader internal controls framework. The Company maintains a cybersecurity program overseen by the Cybersecurity Committee and is informed by key industry frameworks including the National Institute of Standards and Technology (“NIST”). In addition, we have set Company-wide policies and procedures concerning transactional workflow approvals, multifactor authentication, antivirus protection, confidential information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of senior management.

The Company has continued to expand investments in IT security, including end user-training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. Further, we conduct periodic external penetration tests, vulnerability assessments and maturity testing. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and

intellectual property.  Additionally, we perform and document user and administrative access reviews of all domains, networks, applications, and systems at least quarterly.

We view cybersecurity as a shared responsibility. The Company maintains a formal information security training program for all employees that includes annual training on matters such as phishing and email security best practices. Employees are also required to complete annual compulsory training on data privacy. Security training is specialized based on employee roles.

Personnel

The Cybersecurity Committee is responsible for assessing and managing cybersecurity risk, which includes prevention, mitigation, detection, and remediation of cybersecurity incidents. The Cybersecurity Committee members collectively have relevant expertise in cybersecurity through appropriate experience, education, and in certain cases, industry-recognized certifications.

The Cybersecurity Committee works closely with other members of executive management to ensure that the Company has effective communication and understanding of its cybersecurity risk management.

The members of the Cybersecurity Committee work together to inform the Audit Committee of the Company’s Board of Directors (the “Audit Committee”) on cybersecurity risks at least quarterly. These reports include, among other things, current cybersecurity risk posture, status of projects to strengthen the Company’s information security systems, the effectiveness of our cybersecurity policies, procedures, and strategies, and any significant cybersecurity incidents that have occurred.

Third Party Engagement

The Company engages third-party expertise as part of the broader internal controls framework. These experts include independent cybersecurity assessors, consultants, and our internal audit team who evaluate and stress-test the Company’s networks, policies, cybersecurity technologies and preventative measures. Third-party experts evaluate the effectiveness of our cybersecurity program against industry standards and established frameworks, such as those set by NIST guidelines. The Company also engages an independent managed detection and response provider as an extension of the Company’s cybersecurity team.

Oversight of Third-Party Risk

The Company implements stringent processes to oversee and manage risks associated with third-party service providers. Upon initial engagement with third-party providers, the Company researches the vendor’s cybersecurity and threat reputation. We then require a completed security questionnaire and any relevant documentation including System and Organization Controls (“SOC”) 1 or SOC 2 reports, non-disclosure agreements (as appropriate), and evidence of cybersecurity insurance (as applicable). This documentation is compiled and assessed by the Cybersecurity Committee and documented in a workflow approval process. Existing vendors are evaluated bi-annually, and any updates to their cyber posture are documented in the same fashion. The internal business owners of cloud-based applications are required to perform and document user access reviews at least quarterly.  

The Company has integrated cybersecurity into its broader internal controls framework. The Company maintains a cybersecurity program overseen by the Cybersecurity Committee and is informed by key industry frameworks including the National Institute of Standards and Technology (“NIST”). In addition, we have set Company-wide policies and procedures concerning transactional workflow approvals, multifactor authentication, antivirus protection, confidential information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of senior management.

The Company has continued to expand investments in IT security, including end user-training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. Further, we conduct periodic external penetration tests, vulnerability assessments and maturity testing. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and

intellectual property.  Additionally, we perform and document user and administrative access reviews of all domains, networks, applications, and systems at least quarterly.

We view cybersecurity as a shared responsibility. The Company maintains a formal information security training program for all employees that includes annual training on matters such as phishing and email security best practices. Employees are also required to complete annual compulsory training on data privacy. Security training is specialized based on employee roles.

Governance

Our Audit Committee is actively engaged in the oversight of the Company’s information security program. The Audit Committee receives reports on these matters from management at least quarterly, which includes discussion of management’s actions to identify and respond to threats, key performance indicators reflecting cybersecurity posture, and status of recent cybersecurity related initiatives. In addition, the Audit Committee periodically evaluates our cybersecurity strategy to ensure its effectiveness and, if appropriate, includes a review from third-party experts.

Cybersecurity Risk Management & Oversight Committee’s Role Managing Risk

The Cybersecurity Committee continuously updates its approach on cybersecurity to safeguard the Company’s sensitive information and assets based on assessments mentioned above. The program is supported by an organizational structure that reflects support from across the business.  

While processes and technologies are in place to reduce the likelihood and potential impact of cybersecurity incidents, the Company has established incident response procedures to address a cybersecurity threat should one occur.  The Company’s cybersecurity incident response plan (the “Response Plan”) provides for a timely and consistent response to actual or attempted cybersecurity incidents impacting the Company. The Response Plan includes (1) detection, (2) analysis, which may include timely notice to our Board and public disclosure if deemed material or appropriate, (3) containment, (4) eradication, (5) recovery and (6) post-incident review.