Cybersecurity Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. Cybersecurity risks are managed across the Company and its subsidiaries and are integrated into our overall enterprise risk management (“ERM”) framework.

We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our information systems, data, and critical business processes. Our cybersecurity risk management program is integrated into our broader ERM program and shares common methodologies, reporting channels, and governance processes applicable to other legal, compliance, operational, and financial risks.

Our cybersecurity risk management program is informed by applicable laws and regulations and draws guidance from industry standards and best practices, including frameworks published by the National Institute of Standards and Technology (“NIST”). While we reference these frameworks to inform our approach, this does not imply that we meet any particular technical standard, specification, or certification.

Key elements of our cybersecurity risk management program include:

Risk Identification and Assessment. Periodic risk assessments designed to identify and evaluate cybersecurity risks that could affect our corporate information systems, cloud environments, data, third-party service providers, and business operations, including risks informed by threat intelligence and industry-specific threat activity.

Policies and Controls. Information security and cybersecurity policies that establish administrative, technical, and physical safeguards designed to protect systems and data, including access controls, monitoring, and incident response procedures.

Incident Response. A cybersecurity incident response policy that outlines procedures for detecting, analyzing, and responding to cybersecurity incidents, including escalation and internal reporting processes for incidents that may be significant or potentially material.

Third-Party Risk Management. A vendor risk management process designed to identify and assess cybersecurity risks associated with third-party service providers based on their criticality and risk profile, including contractual security requirements and ongoing monitoring, where appropriate.

Training and Awareness. Cybersecurity awareness training for employees and contractors with access to Company systems, intended to promote awareness of cybersecurity risks and individual responsibilities.

Use of External Experts. Engagement of external service providers, where appropriate, to assist with risk assessments, testing, monitoring, and other aspects of our cybersecurity program.

Despite these efforts, cybersecurity threats continue to evolve, and no security program can eliminate all risks. We have not identified any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For additional description of cybersecurity risks and potential related impacts on the Company, refer to the risk factor captioned “Cybersecurity threats and hacking attacks could compromise our systems and data, resulting in material adverse effects on our business, financial condition, and results of operations.” in Part I, Item 1A “Risk Factors.”

Cybersecurity Governance

Our Board has oversight responsibility for the management of risks facing the Company, including cybersecurity risks. The Board has delegated oversight of cybersecurity and information technology risks to the audit committee of the Board (the “Audit Committee”).

The Audit Committee receives periodic reports from management regarding cybersecurity risks, the status of our cybersecurity program, and significant developments. Management also provides updates to the Board or Audit Committee, as appropriate, regarding any cybersecurity incidents that are considered significant or potentially material.

Management is responsible for the day-to-day operation of our cybersecurity risk management program and for identifying, assessing, and managing material cybersecurity risks. Our cybersecurity program is led by our Vice President, Global Corporate IT, who has responsibility for information security and cybersecurity risk management across the organization and reports to executive management. Our Vice President, Global Corporate IT has over 13 years of experience in IT, including 8 years in software development and more than 5 years in roles with direct responsibility for cybersecurity governance, risk management, and compliance. He is supported by internal personnel and external cybersecurity service providers with experience in cybersecurity governance, risk management, and incident response.

We maintain a cross-functional incident response capability involving information technology, legal, finance, compliance, and communications personnel, which is activated as necessary in the event of a cybersecurity incident. Management assesses the severity and potential impact of cybersecurity incidents and escalates matters to executive management and the Board, as appropriate, including for materiality and disclosure considerations. We consult with external advisors, including legal counsel, as appropriate.