Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk management and strategy

The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company’s overall risk management systems, as overseen by the Company’s Board of Directors. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company from time to time engages third-party consultants, legal advisors, and audit firms in evaluating and testing the Company’s risk management systems and assessing and remediating certain potential cybersecurity incidents as appropriate.

The Company has an Information Security Program (“Program”) to protect personal and proprietary information in compliance with applicable federal and state requirements. The Program is designed to:

·

Ensure the security and confidentiality of employee and customer personal information and Company proprietary information;

·

Protect against anticipated threats or hazards to the security or integrity of such information; and

·

Protect against unauthorized access to, use of, or transfer of such information in a manner that could harm or inconvenience the Company, employees or customers.

For more information about these risks, see the risk factor titled “The Company relies on its information and communications systems in its operations. Security breaches and other disruptions could adversely affect its business and results of operations” under Item 1A.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

The Board recognizes that oversight of risk management is an important function and, for that reason, created the Risk Oversight Committee in 2010. Since that time, the Board has received regular reports from the Risk Oversight Committee and senior management in areas of material risk to the Company, including operational, financial, legal and regulatory, strategic, reputational and industry-related risks. The Risk Oversight Committee and the full Board reviewed and discussed these reports with the goal of overseeing the identification and management of, and the development of mitigation strategies for, these risks.

As part of its ongoing evaluation of Board efficacy and structure, the Board carefully considered this model for evaluating and managing risk. Among other things, the Board observed that, typically, the entire Board was present for meetings of the Risk Oversight Committee and

participated in risk discussions, rendering further discussions at Board meetings largely redundant. Accordingly, the Board decided to dissolve the Risk Oversight Committee and since then, the Board holds these discussions with management in connection with regular Board meetings with the continued goal of overseeing the identification and management of, and the development of mitigation strategies for, these risks. The Board believes that this approach promotes efficiency and helps ensure participation by all Directors. The Company’s Board of Directors regularly receives reports from management, including senior information technology (“IT”) leadership, and third parties on cybersecurity matters as part of the Company’s overall enterprise risk management program.

Senior IT leaders are responsible for developing appropriate cybersecurity programs, including as may be required by applicable law or regulation. These individuals’ expertise in IT and cybersecurity generally has been gained from a combination of education, including relevant degrees and/or certifications, and work experience. They are informed by their respective cybersecurity teams about, and monitor, the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above.

Information regarding cybersecurity risks may be elevated by IT leadership through a variety of channels, including discussions between or among key leaders and Company management and reports to the Company’s Board of Directors and/or certain Board committees.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

the Board decided to dissolve the Risk Oversight Committee and since then, the Board holds these discussions with management in connection with regular Board meetings with the continued goal of overseeing the identification and management of, and the development of mitigation strategies for, these risks.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Information regarding cybersecurity risks may be elevated by IT leadership through a variety of channels, including discussions between or among key leaders and Company management and reports to the Company’s Board of Directors and/or certain Board committees.