Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats [Text Block]

Our Cybersecurity program is managed by our Chief Information Security Officer (CISO). The CISO is responsible for developing and managing the overall strategy, leading the response to cybersecurity incidents and reporting to the Board. The Audit Committee of the Board monitors our information security programs, including our cybersecurity risk management program, and receives updates quarterly, or more frequently as determined appropriate, from management on our cybersecurity program and systems protection.

Our CISO has over twenty-five years of experience in cybersecurity and holds active Certified Information Systems Security Professional and Certified Information Security Manager certifications. Our policies require teammates, contractors, service providers and suppliers who become aware of a cybersecurity incident or the individual’s supervisor to immediately report the cybersecurity incident to the appropriate reporting channels, which include the CISO. In the event of a cybersecurity incident, in addition to the standing members, teammates would be selected to serve on the Cybersecurity Incident Response Team (CIRT) based on the facts and circumstances of the particular cybersecurity incident. Additionally, our outside legal counsel is held on retainer to assist with our response to cybersecurity incidents.

We model our cybersecurity program to align with the practices and standards referenced within the National Institute of Standards and Technology cybersecurity framework. Our information security program is integrated within our larger enterprise risk management program and includes, but is not limited to:

•

Following the methodology of Identify, Protect, Detect, Respond, and Recover;

•

Mandatory annual cybersecurity awareness training for all teammates accessing our network;

•

Monthly Company-wide phishing prevention and awareness exercises;

•

Identification and remediation of information security risks and vulnerabilities in our information technology systems, including regular scanning of both internal and externally facing systems and annual third-party penetration testing;

•

Implementation of security technologies intended to identify and assist in containing and remediating malware risks;

•

Active monitoring of logs and events for our network perimeter and internal systems;

•

Due diligence of information security maintained by third-party vendors that handle our data;

•

Partnering with the Cybersecurity and Infrastructure Security Agency (CISA), DHS, and the Federal Bureau of Investigation, to leverage their provided sensitive or confidential threat intel and with CISA for weekly vulnerability scans of our key public-facing servers;

•

Maintaining a cyber insurance policy that provides coverage for security breach recovery and response; and

•

Engagement of third party consultants to assess the health of our cybersecurity program.

We maintain a Cybersecurity Incident Response Plan (CIRP) to assist in promptly responding to, resolving, and recovering from cybersecurity incidents. The CIRP includes guidelines for assessing, identifying, managing, reporting, including disclosure of material breaches with the SEC, and remediating cybersecurity incidents. Following a cybersecurity incident, external subject matter experts, including legal counsel are consulted to reduce the risk of further compromise to our information and to ensure proper reporting and documentation. The Audit Committee would be informed promptly of material cybersecurity incidents in the event that they arise. If a material cybersecurity incident were to occur, it could have a material effect on our business strategy, results of operations and financial condition. For more information see Item 1A. “Risk Factors” for the Risk Factor entitled “Our operations depend on the proper functioning of information systems, and our business or results of operations could be adversely affected if we experience a cyberattack or other systems breach or failure.”

Cybersecurity Risk Management Processes Integrated [Text Block]

. Our information security program is integrated within our larger enterprise risk management program and includes, but is not limited to:

•

Following the methodology of Identify, Protect, Detect, Respond, and Recover;

•

Mandatory annual cybersecurity awareness training for all teammates accessing our network;

•

Monthly Company-wide phishing prevention and awareness exercises;

•

Identification and remediation of information security risks and vulnerabilities in our information technology systems, including regular scanning of both internal and externally facing systems and annual third-party penetration testing;

•

Implementation of security technologies intended to identify and assist in containing and remediating malware risks;

•

Active monitoring of logs and events for our network perimeter and internal systems;

•

Due diligence of information security maintained by third-party vendors that handle our data;

•

Partnering with the Cybersecurity and Infrastructure Security Agency (CISA), DHS, and the Federal Bureau of Investigation, to leverage their provided sensitive or confidential threat intel and with CISA for weekly vulnerability scans of our key public-facing servers;

•

Maintaining a cyber insurance policy that provides coverage for security breach recovery and response; and

•

Engagement of third party consultants to assess the health of our cybersecurity program.

Cybersecurity Risk Third Party Oversight And Identification Processes [Flag]

true

Cybersecurity Risk Board Of Directors Oversight [Text Block]

Our Cybersecurity program is managed by our Chief Information Security Officer (CISO). The CISO is responsible for developing and managing the overall strategy, leading the response to cybersecurity incidents and reporting to the Board. The Audit Committee of the Board monitors our information security programs, including our cybersecurity risk management program, and receives updates quarterly, or more frequently as determined appropriate, from management on our cybersecurity program and systems protection.

Cybersecurity Risk Process For Informing Board Committee Or Subcommittee Responsible For Oversight [Text Block]

We maintain a Cybersecurity Incident Response Plan (CIRP) to assist in promptly responding to, resolving, and recovering from cybersecurity incidents. The CIRP includes guidelines for assessing, identifying, managing, reporting, including disclosure of material breaches with the SEC, and remediating cybersecurity incidents. Following a cybersecurity incident, external subject matter experts, including legal counsel are consulted to reduce the risk of further compromise to our information and to ensure proper reporting and documentation. The Audit Committee would be informed promptly of material cybersecurity incidents in the event that they arise. If a material cybersecurity incident were to occur, it could have a material effect on our business strategy, results of operations and financial condition. For more information see Item 1A. “Risk Factors” for the Risk Factor entitled “Our operations depend on the proper functioning of information systems, and our business or results of operations could be adversely affected if we experience a cyberattack or other systems breach or failure.”

Cybersecurity Risk Management Positions Or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise Of Management Responsible [Text Block]

Our CISO has over twenty-five years of experience in cybersecurity and holds active Certified Information Systems Security Professional and Certified Information Security Manager certifications.

Cybersecurity Risk Management Positions Or Committees Responsible Report To Board [Flag]

true