Risk Management and Strategy.

We identify and assess material risks from cybersecurity threats to our information systems and the information residing in our information systems by monitoring and evaluating our threat environment on an ongoing basis using a variety of methods, including manual and automated tools, third-party reports and services, threat analysis, scans of the threat environment and risk assessments.

We manage material risks from cybersecurity threats through various processes and procedures, including, depending on the environment, risk assessment, incident detection and response, vulnerability management, disaster recovery and business continuity planning, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring and employee training. We also engage third-party service providers in certain areas of our information systems environment. Depending on the nature and extent of the services provided, the sensitivity and quantity of information processed and the identity of the provider, our processes may include conducting due diligence on the provider’s cybersecurity practices and contractually imposing cybersecurity-related obligations.

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. Our cybersecurity risk management program is aligned with our business strategy and shares common methodologies, reporting channels and governance processes with other areas of enterprise risk, including legal, compliance, strategic, operational and financial risk. Key elements of our cybersecurity risk management program include:

We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our Group, including our business strategy, results of operations or financial condition. In the last three fiscal years, we have not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. Refer to “Item 3. Key Information - D. Risk Factors - Risks Related to Our Business and Industry - Our business is dependent on information technology and is subject to cybersecurity risks. A cyberattack may disrupt our operations and compromise the personal data of our customers.”

Governance

Our board of directors has overall oversight responsibility for our Group’s risk management and strategy, including material risks related to cybersecurity threats. This oversight is exercised directly by the board and through its committees. Our audit committee oversees management of our major risk exposures, the steps management has taken to monitor and control such exposures, and the processes by which risk assessment and risk management are undertaken, including with respect to cybersecurity risks. The audit committee holds regular meetings and receives periodic reports from management regarding risk management, including major financial risk exposures from cybersecurity threats or incidents.

Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, implementing appropriate mitigation measures and maintaining cybersecurity programs. Within management, the Group’s chief executive officer is primarily responsible for assessing and managing material risks from cybersecurity threats on a day-to-day basis and keeping senior executive officers informed on a regular basis regarding the identification, assessment and management of cybersecurity risks and any cybersecurity incidents. Such personnel have prior experience and training in managing information systems and cybersecurity matters and participate in ongoing training programs. As of the date of this annual report, the Company has not encountered any cybersecurity incident that it believes has been material to the Company taken as a whole.