Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Enterprise Risk Management Framework and Governance

The Cybersecurity Program is integrated with our enterprise risk management framework and is primarily managed by the CIO, the CISO, and other information security personnel and consultants, and is overseen by risk management, internal audit, senior management and the board of directors to ensure the confidentiality, integrity and the availability of the Company’s enterprise information systems, data and business operations. The Cybersecurity Program utilizes specialized third-party cybersecurity service providers to periodically perform penetration testing across certain internet-facing and business critical applications as well as external and internal network penetration tests.

Our Enterprise Risk Management unit separately provides independent oversight and monitoring of the

Cybersecurity Program through periodic quality control testing and regulatory compliance verification of the Cybersecurity Program’s controls. Our Internal Audit unit is an independent corporate function reporting to the board of directors’ Audit Committee that also reviews the effectiveness of the Cybersecurity Program and whether it is effectively integrated into our overall enterprise risk management framework. Additionally, our Enterprise Risk Management and Internal Audit units may from time to time separately engage consulting services to perform independent cybersecurity controls audits and provide expert guidance.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Cybersecurity Program, which is integrated into our enterprise risk management framework, assesses, identifies and protects our enterprise information systems, data and business operations from various security threats and contains the following elements:

●

Information Security Risk Assessment - Conducting internal and external risk and control assessment, quality control and assurance testing.

●

Identity and Access Management - Managing enterprise identity and access control systems.

●

Security Architecture - Managing security architecture, including secure code deployment standards, architecture security reviews, and cybersecurity advisory support.

●

Security Engineering - Designing, implementing and operating security technologies, including but not limited to malware protections, security event and incident management, data loss prevention, and phishing defenses.

●

Security Operations - Ensuring continuous operational coverage of security events and alerts, maintaining and executing processes for triage, containment, investigation and escalation/communication and threat intelligence.

●

Attack Surface Management - Managing vulnerability and patch management, network penetration testing, application security testing and exercises, including cybersecurity training, cyber-attack simulations and tabletop exercises with senior management to detect control gaps.

●

Third-Party Assessments - Coordinating, reviewing and analyzing third-party providers’ assessments of the Cybersecurity Program. Internal Audit may also perform a periodic cybersecurity program audit that may be supported by external consulting firms.

●

Third-Party Service Provider Reviews – Identifying and reviewing material risks from cybersecurity threats associated with certain third-party service providers.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors Oversight

The board of directors oversees our cybersecurity risks by periodically evaluating cybersecurity reports from senior management, including the CIO and CISO, as well as reports from the board committees and third-party consultants. The Risk Committee oversees our enterprise risk management framework including risks associated with data security, cybersecurity, IT infrastructure, and data privacy. The Audit Committee oversees the internal and external auditors’ review of our cybersecurity risks.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Board of Directors Oversight

The board of directors oversees our cybersecurity risks by periodically evaluating cybersecurity reports from senior management, including the CIO and CISO, as well as reports from the board committees and third-party consultants. The Risk Committee oversees our enterprise risk management framework including risks associated with data security, cybersecurity, IT infrastructure, and data privacy. The Audit Committee oversees the internal and external auditors’ review of our cybersecurity risks.

Management Oversight

Our CIO, CISO and other senior executives who oversee the Company’s enterprise IT infrastructure periodically meet in management committees to ensure that our enterprise information systems are protected from internal and external cybersecurity threats by monitoring cybersecurity controls, risk assessments and information system reports. The CIO, CISO and our management committees periodically provide cybersecurity reports about our Cybersecurity Program to senior management, the board of directors and our board committees.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CIO, CISO and other senior executives who oversee the Company’s enterprise IT infrastructure periodically meet in management committees to ensure that our enterprise information systems are protected from internal and external cybersecurity threats by monitoring cybersecurity controls, risk assessments and information system reports.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true