Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk management and strategy

The Company employs a multi-faceted approach to assess, identify, and manage material risks from cybersecurity threats. Components of our approach include the following:

●

The Company aligns its cybersecurity program with the Center for Internet Security (“CIS”) framework of Critical Security Controls

●

System penetration testing is performed by rotating third-party service providers at least every 18 months.

●

System vulnerability testing performed by our cybersecurity partner who is System of Organization Controls (“SOC”) 2 certified and also assists with mitigation.

●

Network assessments are performed at least annually by qualified third-party service providers.

●

Facilitated incident response tabletop exercises conducted at least bi-annually by qualified cybersecurity service providers.

●

Monitoring of Federal government alerts (CISA, FBI) and industry threat information is performed to stay current on the newest cybersecurity threats bad actor tactics.

●

Multifactor authentication is required for all authorized users to access network resources which adds a second layer of protection from unauthorized entry to our systems.

●

Associates are required to complete mandatory cybersecurity awareness training annually.

●

We have Certified Information System Security Professional (“CISSP”) and Information Systems Security Management Professional (“ISSMP”) certifications among our internal security personnel.

The cybersecurity risk assessment process is part of the Company’s overall risk management process. Our cybersecurity partner helps us prioritize actions to improve compliance with CIS Critical Security Controls and assists with those actions. The Company also utilizes other third-party consultants and services in our process of assessing and managing cybersecurity risk for a diverse perspective of our cybersecurity practices and posture. To mitigate the risk of cybersecurity threats related to the use of third-party service providers, the Company obtains and reviews SOC reports from third parties when available, to provide assurance that the third-party has appropriate controls in place and has not identified any significant cyber issues. The Company does not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to affect our business strategy, results of operations, or financial condition. See Item 1A “Risk Factors” for a summary of certain cybersecurity risks.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Company employs a multi-faceted approach to assess, identify, and manage material risks from cybersecurity threats. Components of our approach include the following:

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

General risk assessment and management oversight resides with the Company’s Board of Directors. The Company’s Audit Committee has oversight of financial risks and is in charge of reviewing the Company’s information security disclosures and incident reporting related to cybersecurity. The Company’s Board of Directors reviews the Company’s information security procedures and evaluates management’s assessment of materiality for cyber incidents. The Board of Directors is formally updated on cybersecurity risks no less than annually. Management is responsible for assessing and managing material risks from cybersecurity threats. This responsibility primarily resides with the VP of Information Technology and his qualified team, including dedicated cyber security personnel. The qualifications of the Information Technology team include a combination of formal education (e.g. Master’s degrees in Cybersecurity and Information Assurance); CISSP and ISSMP certifications and, over 100 years of combined Information Technology experience. Management’s process for monitoring prevention, detection, mitigation, and remediation of cybersecurity incidents is summarized above in the Risk management and strategy section.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

General risk assessment and management oversight resides with the Company’s Board of Directors. The Company’s Audit Committee has oversight of financial risks and is in charge of reviewing the Company’s information security disclosures and incident reporting related to cybersecurity. The Company’s Board of Directors reviews the Company’s information security procedures and evaluates management’s assessment of materiality for cyber incidents. The Board of Directors is formally updated on cybersecurity risks no less than annually. Management is responsible for assessing and managing material risks from cybersecurity threats. This responsibility primarily resides with the VP of Information Technology and his qualified team, including dedicated cyber security personnel. The qualifications of the Information Technology team include a combination of formal education (e.g. Master’s degrees in Cybersecurity and Information Assurance); CISSP and ISSMP certifications and, over 100 years of combined Information Technology experience. Management’s process for monitoring prevention, detection, mitigation, and remediation of cybersecurity incidents is summarized above in the Risk management and strategy section.