Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We maintain high standards with respect to cybersecurity and our cybersecurity risk management program is integrated into our enterprise risk management framework, overseen by our Information Security Officer (“ISO”), meaning that cyber-risks are identified, evaluated, and managed with the same rigor as other strategic, operational, and financial risks. We have adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework principles as a guide for our security controls and processes, helping us structure our activities around identifying potential threats, protecting systems, detecting incidents, responding to events, and recovering operations. We engage independent third-party cybersecurity auditors and testers annually to review our Information Security Management (ISMS) and renew our ISO/IEC 27001 certification. Key elements of our program include:

●

Preventive Controls and Monitoring: We employ multiple layers of technical controls (firewalls, intrusion detection systems, encryption, and multi-factor authentication) to proactively monitor IT controls to ensure compliance with security policies, legal regulations, contractual obligations and industry best practices. Our Global Security Operations Center operates 24/7 with real-time monitoring capabilities to rapidly investigate alerts and trigger containment measures, which helps us minimize exposure or damage if a cybersecurity incident occurs.

●

Vulnerability Management and Testing: We conduct regular vulnerability assessments and annual external penetration testing of our systems and applications to probe for weaknesses. We also perform periodic exercises simulating cybersecurity incidents to test our defenses and response procedures. Findings from these tests are used to strengthen our security posture on an ongoing basis.

●

Incident Response Planning: We maintain a cybersecurity incident response plan that defines procedures for addressing security events. This plan is updated and tested regularly (including through tabletop drills and simulated breach exercises) so that our teams remain practiced in incident handling. In the event of an incident, our aim is to respond swiftly to contain the issue, notify appropriate stakeholders, investigate the root cause, and recover normal operations as soon as practicable.

●

Third-Party Risk Management: We carefully manage cybersecurity risks arising from our use of third-party software, cloud services, and suppliers. We perform due diligence and security risk assessments on critical third-party service providers, both at onboarding and periodically during the relationship. Our procurement and legal teams work together to incorporate robust cybersecurity requirements into contracts with vendors (for example, data protection standards and incident notification obligations). Where appropriate, we require suppliers to adhere to our security policies or industry standards, and we conduct

ongoing monitoring or audits of their security controls. These steps help reduce the risk that a weakness in a partner’s systems could compromise our data or operations.

●

Employee Training and Awareness: A strong security culture among our employees is one of our best defenses in relation to cybersecurity events. Our employees are required to complete annual cybersecurity and data protection awareness training. This training educates personnel on topics like phishing prevention, safe computing practices, and how to report potential security issues. We supplement formal training with periodic phishing email simulations and security reminders.

Through a combination of these technical, procedural, and educational measures, our program is designed to detect and respond to cybersecurity threats effectively and thereby safeguard our business operations and sensitive information.

Cybersecurity threats are endemic to the modern business environment, and attempts to penetrate our network security are frequent and on-going. However, to date, no cybersecurity threats (including incidents) have resulted in a material impact on our business strategy, results of operations, or financial condition. Despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident, that we will not experience a cybersecurity incident in the future, or that a past cybersecurity incident will not result in a future material impact. For additional information on cybersecurity related risks, see “Item 1A. Risk Factors” of this Annual Report on Form 10-K.

Cybersecurity Risk Management Processes Integrated [Text Block]

We maintain high standards with respect to cybersecurity and our cybersecurity risk management program is integrated into our enterprise risk management framework, overseen by our Information Security Officer (“ISO”), meaning that cyber-risks are identified, evaluated, and managed with the same rigor as other strategic, operational, and financial risks. We have adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework principles as a guide for our security controls and processes, helping us structure our activities around identifying potential threats, protecting systems, detecting incidents, responding to events, and recovering operations. We engage independent third-party cybersecurity auditors and testers annually to review our Information Security Management (ISMS) and renew our ISO/IEC 27001 certification. Key elements of our program include:

●

Preventive Controls and Monitoring: We employ multiple layers of technical controls (firewalls, intrusion detection systems, encryption, and multi-factor authentication) to proactively monitor IT controls to ensure compliance with security policies, legal regulations, contractual obligations and industry best practices. Our Global Security Operations Center operates 24/7 with real-time monitoring capabilities to rapidly investigate alerts and trigger containment measures, which helps us minimize exposure or damage if a cybersecurity incident occurs.

●

Vulnerability Management and Testing: We conduct regular vulnerability assessments and annual external penetration testing of our systems and applications to probe for weaknesses. We also perform periodic exercises simulating cybersecurity incidents to test our defenses and response procedures. Findings from these tests are used to strengthen our security posture on an ongoing basis.

●

Incident Response Planning: We maintain a cybersecurity incident response plan that defines procedures for addressing security events. This plan is updated and tested regularly (including through tabletop drills and simulated breach exercises) so that our teams remain practiced in incident handling. In the event of an incident, our aim is to respond swiftly to contain the issue, notify appropriate stakeholders, investigate the root cause, and recover normal operations as soon as practicable.

●

Third-Party Risk Management: We carefully manage cybersecurity risks arising from our use of third-party software, cloud services, and suppliers. We perform due diligence and security risk assessments on critical third-party service providers, both at onboarding and periodically during the relationship. Our procurement and legal teams work together to incorporate robust cybersecurity requirements into contracts with vendors (for example, data protection standards and incident notification obligations). Where appropriate, we require suppliers to adhere to our security policies or industry standards, and we conduct

ongoing monitoring or audits of their security controls. These steps help reduce the risk that a weakness in a partner’s systems could compromise our data or operations.

●

Employee Training and Awareness: A strong security culture among our employees is one of our best defenses in relation to cybersecurity events. Our employees are required to complete annual cybersecurity and data protection awareness training. This training educates personnel on topics like phishing prevention, safe computing practices, and how to report potential security issues. We supplement formal training with periodic phishing email simulations and security reminders.

Through a combination of these technical, procedural, and educational measures, our program is designed to detect and respond to cybersecurity threats effectively and thereby safeguard our business operations and sensitive information.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

We have established strong governance practices to oversee cybersecurity and IT risks. The Board of Directors has delegated primary oversight responsibility for cybersecurity to the Risk Management Committee (RMC) of the Board, which is composed of several Board members. Our Chief Information Officer (CIO) and Information Security Officer (ISO) receive security reports and threat intelligence from the Security Operations Center, which apprises the CIO and ISO of any potential incidents and the status of ongoing preventive measures and they share this information at least quarterly with the RMC. They also brief the full Board as needed on cybersecurity matters.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

We have established strong governance practices to oversee cybersecurity and IT risks. The Board of Directors has delegated primary oversight responsibility for cybersecurity to the Risk Management Committee (RMC) of the Board, which is composed of several Board members. Our Chief Information Officer (CIO) and Information Security Officer (ISO) receive security reports and threat intelligence from the Security Operations Center, which apprises the CIO and ISO of any potential incidents and the status of ongoing preventive measures and they share this information at least quarterly with the RMC. They also brief the full Board as needed on cybersecurity matters.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CIO, Todd Weathersby, has more than 25 years of experience in global IT and cybersecurity management, and our ISO has more than 25 years of experience in cybersecurity, risk, and compliance (with certifications such as CISSP and CISM).

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true