The Company has developed an information security program to address material risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. A risk assessment, based on a method and guidance from a recognized national standards organization, is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls that are used to some extent include endpoint threat detection and response, identity and access management, privileged access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, firewalls and intrusion detection and prevention, and vulnerability and patch management.

Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used in selected areas to conduct assessments, such as vulnerability scans and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring.

The Company has a written incident response plan and conducts tabletop exercises to enhance incident response preparedness. Business continuity and disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. Employees undergo security awareness training when hired and annually.

The Company has a Governance, Risk, and Compliance function to address enterprise risks, and cybersecurity is a risk category addressed by that function. The Company has a privacy and security governance committee.

The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon.

The Company’s Head of Information Technology (“Head of IT”) is primarily responsible for the development, operation, and maintenance of our information security program. The Head of IT has experience in managing cybersecurity risks and protocols, data protection practices, and identifying and addressing Cloud/IT/web security vulnerabilities. The Head of IT provides periodic updates to the Company’s management team regarding general security matters and, as appropriate, reports promptly on any identified security incidents. Oversight of the information security program at the Board level resides with the Audit Committee.