Risk management and strategy

We (through our subsidiaries) maintain corporate cyber-security risk assessment programs that are designed to identify and manage material risks from cyber-security threats and protect the confidentiality, integrity, and availability of our critical information technology (IT) systems. These programs are integrated into our overall risk management systems, thereby helping to ensure that we address cyber-security risks in a comprehensive manner.

In implementing the processes of our cyber-security risk assessment program, we have internal cyber-security teams and we also engage outside assessors, consultants, auditors and other third parties to help us in identifying and managing our cybersecurity risks. The degree to which our internal cyber-security teams, as opposed to an external party, handle the implementation of a given cyber-security project depends on the specific needs of the project. We, through our subsidiaries, have processes in place to oversee and identify risks related to our outsourcing of certain portions of our cyber-security risks management. Those processes are designed to ensure that we utilize reliable and secure third-party vendors.

We regularly assess whether any risks from cyber-security threats are reasonably likely to materially affect our Group companies, and our or their business strategy, results of operations or financial condition. If any such risks are identified, we take appropriate measures to mitigate them. As with virtually every other public company, we believe that a potential material cybersecurity incident could potentially adversely affect our business operations in a material manner, due to the reliance that we place on our IT systems for, among other things: effectively managing our accounting and financial functions, including maintaining our internal controls; managing our sales and marketing processes for our solutions and services; and maintaining our proprietary rights (such as research and development, and other intellectual property- related data). While we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition, the failure of our IT systems to perform properly could disrupt our ability to develop, market and sell our solutions and services, which may result in decreased sales, increased overhead costs, and failure of our solutions to properly function, causing our business, our reputation, and our operating results to suffer. Please see “Item 3.D. Risk Factors-Risks Relating to Our Business, Our Industry, and Our Financing Activities- Significant disruptions of our information technology systems or breaches of our data security could adversely affect our business”.

Governance

As part of our (through our subsidiaries) corporate cybersecurity risk assessment program, we prioritize the identification and management of cybersecurity risk at several levels, including board oversight and involvement of each company’s management on an ongoing basis.

Our board of directors as a whole is responsible for the oversight of risks from cybersecurity threats to our subsidiaries’ operations. The Formula board of directors meets annually with our Chief Financial Officer, or CFO, who updates the board regarding the latest developments with respect to our subsidiaries’ cybersecurity risk assessment programs, the results of the latest risk assessments, and any material risks from cybersecurity threats that have been identified. The board also receives periodic, ongoing updates on the prevention, detection, mitigation and remediation of cybersecurity incidents, including details concerning any incidents that have occurred for our subsidiaries, our subsidiaries’ response to such incidents, and any lessons learned as a result (including any recommendations for improvement in our subsidiaries’ response).

Our management, led by our CFO, is primarily responsible for assessing and managing material risks from cybersecurity threats to our subsidiaries. Our CFO directly manages our cybersecurity risk assessment program. Our CFO has general knowledge of Information Systems and Technology. In handling his role, our CFO obtains information from our subsidiaries’ teams of cybersecurity professionals, which include individuals with prior work experience, degrees, certification, knowledge, skills and background in cybersecurity, including with respect to cybersecurity risk management, cybersecurity engineering and cybersecurity operations. Those cybersecurity teams are responsible for monitoring the prevention, detection, mitigation and remediation of cybersecurity incidents. That includes monitoring our subsidiaries’ IT network and systems for signs of cyber-attacks, responding to any cybersecurity incidents that occur, and implementing measures to prevent future incidents. The cybersecurity teams report information about cybersecurity risks to our CFO on a regular basis. That includes information about any material risks from cybersecurity threats that have been identified, the response of the relevant company within our Group to those risks, and any recommendations for improvement.

Our board of directors as a whole is responsible for the oversight of risks from cybersecurity threats to our subsidiaries’ operations. The Formula board of directors meets annually with our Chief Financial Officer, or CFO, who updates the board regarding the latest developments with respect to our subsidiaries’ cybersecurity risk assessment programs, the results of the latest risk assessments, and any material risks from cybersecurity threats that have been identified. The board also receives periodic, ongoing updates on the prevention, detection, mitigation and remediation of cybersecurity incidents, including details concerning any incidents that have occurred for our subsidiaries, our subsidiaries’ response to such incidents, and any lessons learned as a result (including any recommendations for improvement in our subsidiaries’ response).