We employ procedures designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools, employee education, password encryption, frequent password change events, firewall detection systems, anti-virus software in-place and frequent backups.

We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities, including those that could arise from internal sources and external sources such as third-party service providers we do business with. We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We may and are considering whether to further engage an assessor(s), consultant(s), auditor(s) or other third party(s) to supplement our processes.

To date, management is only aware of an attempted cyberattack on our Waavely website, which we believe was an attempt to disrupt service or steal protected data. Our IT team was able to recognize the effort in real time and take defensive measures to stop the attack. Management is not aware of any loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property from this incident or any other incident or event. Any significant disruption to our service or access to our systems in the future could adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations.

Our board of directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee of the board of directors oversees our cybersecurity risk and receives regular reports from our management team on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.