Item 1C. Cybersecurity

The Company’s cybersecurity principles, goals and targets are defined in a policy approved by the Board of Directors in connection with our IPO (the “Cybersecurity Policy”). The Cybersecurity Policy is anchored in a risk-based approach based on industry standards to balance the level of cybersecurity against the risks faced by the Company. Material risks are managed by both internal resources and third-party contractors. The Company believes that effective information security management is necessary for the secured sharing and protection of information within the Company’s cyberspace.

The Cybersecurity Policy applies to all directors, officers, employees and contractors of the Company and any parent, holding companies and subsidiaries regardless of their contract terms, who use the Company’s technological devices.

The Board of Directors is responsible for leading the Company to minimize the risk of unauthorized and malicious use, disclosure, potential theft, alteration or damaging effects on the Company’s operations while concurrently enabling the sharing of information in cyberspace. The Board of Directors is committed to ensuring that risks to the confidentiality, integrity or availability of Company-owned information assets are managed appropriately by implementing an information security risk management approach. The Company’s cybersecurity risk management is integrated into its overall enterprise risk management, sharing common reporting channels and governance processes that apply across the enterprise risk management program.

The Board of Directors, as a whole, oversees the Cybersecurity Policy and its implementation of the Company’s oversight, programs, procedures, and policies related to cybersecurity, cybersecurity risks, information security, and data privacy. Departments of the Company have been identified under the Cybersecurity Policy to report to Thomas Sanfilippo, the Company’s Chief Technology Officer, who is responsible for overseeing the cybersecurity strategy as defined in the Cybersecurity Policy.

The management team includes members with IT backgrounds to guide our cybersecurity efforts. Our Chief Technology Officer has 40 years of experience in the information technology field, including experience building and leading network, data center, and infrastructure teams. Our Governance, Risk, and Compliance (GRC) Specialist and IT Administrator has 10 years of experience in the cybersecurity field. Our management continuously assesses risk as internal and external factors evolve and remains committed to ensuring employees have the adequate resources and training to fully understand cybersecurity guidelines and expectations. In the event of a breach of the Cybersecurity Policy, members of the management team may be asked by the IT Department to assist with security investigations. If any member of management is unaware of the best course of action in dealing with an IT-related matter, the manager shall immediately contact the Chief Technology Officer. Upon discovering a potential violation of the Cybersecurity Policy or a cybersecurity breach, the member of management must document the incident and request the individual surrender possession of any devices that may have suffered a security breach.

We assessed all third-party vendors, including our third-party IT firms, before engaging them for various services. We have partnered with third-party IT providers to support our cybersecurity and information technology functions, with the Managed Security Operations Center operating 24/7/365 for automated email monitoring, malicious email quarantine, and reporting; secure systems design and architecture, security controls implementation, penetration testing, disaster recovery testing, and risk assessments. Through these partnerships, we maintain continuous security monitoring and control validation. We also perform yearly risk assessments on critical vendors and suppliers as part of our information technology general controls cyber security processes. The Head of IT will be notified and proceed accordingly if an event or incident requires input.

Additionally, the Company’s management leverages manual controls to verify data integrity and mitigate risk, considering the Company’s size and business model. Management also provides interim and year-end reports to the Board of Directors on the Company’s and its subsidiaries’ IT General controls (ITGC) related to cybersecurity and information security matters.

In 2025, we did not identify any cybersecurity events that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors — Cybersecurity incidents and threats including cyberattacks, ransomware attacks and security breaches of cloud services and our information systems, or those impacting our third parties, could adversely impact our brand and reputation and our business, operating results, and financial condition” and “— Any failure of our physical or information technology or operational technology infrastructure or services could lead to significant costs and disruptions.”