ITEM 1C. CYBERSECURITY.

Cybersecurity Risk Management and Strategy

The Company is committed to, and recognizes the importance of, information security, cyber readiness, and data privacy protections to our business and reputation, which includes assessing, identifying, and managing material risks associated with cybersecurity threats. Our cybersecurity program uses processes, technologies, and controls to assist in our efforts to assess, identify, and manage material cybersecurity-related risks.

The Company employs a number of tools and services, such as network monitoring and vulnerability assessments to inform our risk identification and assessment processes. We also maintain an incident response plan that outlines processes designed to triage, assess the severity of, escalate, contain, investigate, and remediate cybersecurity incidents while also complying with relevant legal obligations. Our employees receive cybersecurity awareness and sensitive information protection training on a regular basis, which we also periodically test for effectiveness through simulations, which may include simulated phishing emails and tabletop exercises. Additionally, the Company regularly makes assessments related to the potential impact of a security incident at a

third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems the Company uses. We also maintain cybersecurity risk insurance.

Our information security team serves as a first line of defense, including managing cyber risk strategy execution and owning the day-to-day management of these risks. Our enterprise risk management function, which includes members of our executive leadership team, serves as a second line of defense, bringing holistic risk oversight while serving as a partner to the business to help strategically manage risk. In particular, cybersecurity risks are monitored by a team composed of members of our executive team, who in turn provides updates to the Audit Committee of our Board of Directors, who is responsible for assisting the Board of Directors with oversight over cybersecurity risks.

Through the processes described above, we did not identify risks from current or past cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. See Part I, Item IA. Risk Factors – “Risks Related to Our Information Technology and Security”.

Cybersecurity Governance

Our Board of Directors and Audit Committee are actively engaged in the oversight of our information security program, including the Company’s technology and information security policies and practices, the internal controls relating to information security, and the steps taken by management to identify, monitor, and control any risk exposures. Our management has general responsibility for day-to-day implementation of our information technology, cybersecurity, and privacy strategies and policies, including deployment and use of security tools, applications, and employee training. Role or project specific employee training, as well as other training, may also occur, as needed. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Administrative Officer and our Senior Vice President of Operations and Technology, who are assisted by other members of our senior management team. The team engaged in the cybersecurity risk management process has risk management backgrounds, certifications, and/or cyber experience in prior professional roles and at the Company. The team also maintains expertise on cyber risk management through third party consultants, external training, and affiliations with relevant organizations.

Given the importance of information security to our customers, employees, suppliers and other partners, our Board and/or the Audit Committee receives reports as needed from the Chief Administrative Officer on cybersecurity-related matters, including the status of projects to strengthen our security systems and to improve our cyber threat readiness, as well as on the existing and emerging cyber threat landscape and our program for managing these security risks.