We maintain a robust cybersecurity infrastructure to safeguard our operations, networks and data through comprehensive security measures including our technology tools, internal management and external service providers.

Our chief information officers (“CIOs”) are responsible for assessing, identifying, and managing the risks from cybersecurity threats. Our CIOs have significant experience in information technology and many of our information technology team members hold qualifications in technology security positions.

Our information security program includes, among other aspects, vulnerability management, antivirus and malware protection, encryption and access control, and employee training. Our CIOs, together with our cybersecurity team, review emerging threats, controls, and procedures as part of assessing, identifying, and managing risks. Risks identified by our cybersecurity program are analyzed to determine the potential impact on us and the likelihood of occurrence. Such risks are continuously monitored to ensure that the circumstances and severity of such risks have not changed.

We also endeavor to apprise employees of emerging risks and require them to undergo regular security awareness trainings and supplemental trainings as needed. Additionally, we conduct periodic internal exercises to gauge the effectiveness of the trainings and assess the need for additional training.

In addition, we engage independent third-party cybersecurity providers for testing and vulnerability detection. We regularly engage with third-party vendors to perform external penetration testing, which identifies potential threats and reduces the impact and/or likelihood of these threats. Our employees perform similar intrusion tests and internal and external scans to help improve and harden the company’s security posture. We also conduct security assessments of our IT vendors and certain business partners and maintain cyber incident response plans that are periodically reviewed and updated by our IT security and cyber defense teams and leveraged table top exercised performed by our IT teams.

Our board of directors, primarily through our audit committee, oversees management’s approach to managing cybersecurity risks as part of its risk management oversight. Our audit committee holds discussions with management regarding our guidelines and policies with respect to cybersecurity risks and receives reports from the CIOs regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks.

For information on our exposure to the cybersecurity risk, see “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business and Industry—Unauthorized disclosure, destruction or modification of data, through cybersecurity breaches, computer viruses or otherwise or disruption of our services could expose us to liability, protracted and costly litigation and damage our reputation.” For more information on our cybersecurity team, see “Item 6. Directors, Senior Management and Employees—D. Employees—Risk Management Team—Cybersecurity Risk.

Our board of directors, primarily through our audit committee, oversees management’s approach to managing cybersecurity risks as part of its risk management oversight. Our audit committee holds discussions with management regarding our guidelines and policies with respect to cybersecurity risks and receives reports from the CIOs regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks.

Our board of directors, primarily through our audit committee, oversees management’s approach to managing cybersecurity risks as part of its risk management oversight. Our audit committee holds discussions with management regarding our guidelines and policies with respect to cybersecurity risks and receives reports from the CIOs regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks.

For information on our exposure to the cybersecurity risk, see “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business and Industry—Unauthorized disclosure, destruction or modification of data, through cybersecurity breaches, computer viruses or otherwise or disruption of our services could expose us to liability, protracted and costly litigation and damage our reputation.” For more information on our cybersecurity team, see “Item 6. Directors, Senior Management and Employees—D. Employees—Risk Management Team—Cybersecurity Risk.