We maintain a robust cybersecurity infrastructure to safeguard our operations, networks and data through comprehensive security measures including our technology tools, internal management and external service providers.

Our chief information officers (“CIOs”) are responsible for assessing, identifying, and managing the risks from cybersecurity threats. Our CIOs have significant experience in information technology and many of our information technology team members hold qualifications in technology security positions.

We have both policies and procedures that align with the National Institute of Standards and Technology Cybersecurity Framework. Our information security program includes, among other aspects, vulnerability management, antivirus and malware protection, encryption and access control, and employee training. Our CIOs, together with our Team Security, reviews emerging threats, controls, and procedures as part of assessing, identifying, and managing risks. Risks identified by our cybersecurity program are analyzed to determine the potential impact on us and the likelihood of occurrence. Such risks are continuously monitored to ensure that the circumstances and severity of such risks have not changed.

We also endeavor to apprise employees of emerging risks and require them to undergo regular security awareness trainings and supplemental trainings as needed. Additionally, we conduct periodic internal exercises to gauge the effectiveness of the trainings and assess the need for additional training.

In addition, we engage independent third-party cybersecurity providers for testing and vulnerability detection. We regularly engage with third-party vendors to perform external penetration testing, which identifies potential threats and reduces the impact and/or likelihood of these threats. Our employees perform similar intrusion tests and internal and external scans to help improve and harden the company’s security posture. We also conduct security assessments of our IT vendors and certain business partners and maintain cyber incident response plans that are periodically reviewed and updated by our IT security and cyber defense teams and leveraged table top exercised performed by our IT teams.

Our board of directors, primarily through our audit committee, oversees management’s approach to managing cybersecurity risks as part of its risk management oversight. Our audit committee holds discussions with management regarding our guidelines and policies with respect to cybersecurity risks and receives reports from the CIOs regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks.

While we have experienced cybersecurity incidents in 2021 (as described under “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business and Industries—We depend on our information technology systems, and any failure of these systems could adversely affect our business”), we did not experience any material cybersecurity incidents during fiscal year 2025.