The Company’s cybersecurity risk management practices are intended to assess, identify, and manage risks from threats to the security of our information, systems, products, and network. Our cybersecurity program is a key component of our broader risk management strategy in which cyber risk has been identified and is actively managed with preventive and mitigating measures. We design and assess our cybersecurity program based on the National Institute of Standards and Technology’s Cybersecurity Framework, ISO 27001, and industry-specific regulations. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use them as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Cybersecurity incidents could result from unintentional events, or from deliberate attacks by unauthorized entities or individuals attempting to gain access to Investview’s information technology systems for the purposes of misappropriating assets or information, or causing operational disruption and damage. To mitigate the risk of an impact on our business operations and/or damage from cybersecurity incidents or cyberattacks, Investview invests in multiple forms of cybersecurity and operational safeguards.

On an ongoing basis, we assess our people, processes, and technology, and when necessary, modify the overall program in order to meet the demands of the ever-changing cyber risk environment. As part of our regular training and readiness program, we conduct phishing and penetration testing campaigns in order to ensure that our employees are familiar with all types of phishing emails and similar threats.

Our data is dynamically backed up to mitigate against data loss. To prevent unauthorized access and data breaches, we encrypt sensitive data both in transit and at rest. We have also implemented access controls and multi-factor authentication to ensure that only authorized personnel can access sensitive information. We also utilize third-party information technology systems vendors to conduct regular network and endpoint monitoring.

Our risk management program is comprised of, among other things, policies that are designed to identify, assess, manage, and mitigate cybersecurity risk, and is based on applicable laws and regulations, derived from industry standards and best practices. These policies are intended to identify cybersecurity threats that may be associated with both internally managed systems and systems managed by third-party service providers.

We conduct risk assessments to evaluate the effectiveness of our systems and processes in addressing threats and to identify opportunities for enhancements. Additionally, we conduct privacy and cybersecurity reviews, as well as annual employee training, and monitor emerging laws and regulations related to information security and data protection. We utilize third-party tools and techniques to test and enhance our security controls, perform annual cybersecurity framework assessments, conduct ongoing penetration testing of our systems, and benchmark against best practices. Our internal audit function provides an independent assessment of the overall operations of our cybersecurity program and the supporting framework.

Our cybersecurity team engages and utilizes third-party services as it monitors and actively responds to cybersecurity threats. We utilize an Endpoint Detection and Response (EDR) platform, an anti-virus application, through which incoming electronic communications are filtered, and an email security platform that seeks out identifiers in communications that disguise, impersonate, or otherwise misrepresent the source of the communication. If such a communication is detected, it is subject to quarantine or removal depending on the severity of the issue. Additionally, we use a Security Information and Event Management (SIEM) system, which allows us to store logs off on the system of record to prevent log tampering and provides the cybersecurity team functionality to build alerts on specific use cases that are important and unique to our business. If our applications fail or our software does not successfully block a malicious electronic communication, employees are required to notify an immediate supervisor or the cybersecurity team promptly, but in no circumstances later than twenty-four (24) hours after such occurrence.

Upon detection of a cybersecurity incident and initial intake and validation by our cybersecurity team, our incident response team triages and evaluates the cybersecurity incident, and, depending on the severity, escalates the incident to management and a cross-functional working group. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment and reported to executive management. Determination of what resources are needed to address the incident, prioritizing of response activities, forming of action plans, and notification of external parties as needed are then undertaken by executive management and the cross-functional working group, led by our Executive Vice President-Technology (“Technology Officer”). We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our executive management makes the final materiality and disclosure determinations, among other compliance decisions.