Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management

We collect and maintain information in digital form that is necessary to conduct operations and engage with our customers and business partners, and we are increasingly dependent on information technology systems and network infrastructure to operate our business. We rely on information technology systems to keep financial records, manage our manufacturing operations, maintain quality control, fulfill customer orders, facilitate our research and development initiatives, maintain corporate records, communicate with staff and external parties and operate other critical functions. We operate some of these systems, but we also rely on third-party providers for a range of software, products and services that are critical to our operations and business. Both our and our third-party providers’ information technology systems are vulnerable to threat from cyber intrusion, ransomware, denial of service, phishing, account takeover, data manipulation, and other cyber misconduct.

Our information technology organization seeks to employ best practices, including the implementation of a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. Our cybersecurity risk management program includes several processes, including, but not limited to, the following:

●

Cybersecurity incident response plan. The plan outlines the processes and procedures that we should follow to respond to, remediate and resolve a security incident involving a potential or actual compromise of our digital information. The plan also describes the structure, roles and responsibilities of internal information technology personnel involved in responding to such incidents and provides a process for alerting management of such incidents. The cybersecurity incident response plan is reviewed on an annual basis and revised as necessary.

●

Incident detection and prevention. We have implemented and maintained technologies and solutions to assist in the prevention of potential cybersecurity incidents. These safeguards include, among other things, intrusion prevention and detection systems, software patch management, including anti-virus and anti-malware installations, and ongoing vulnerability assessments.

●

Internal user and third-party information technology access. We employ various security measures, including data encryption, firewalls, email security and network segmentation with access control lists to restrict data availability to authorized systems and networks.

●

Information technology change management and physical security. We implement safeguards, protocols and procedures to protect data integrity, device vulnerabilities and secure our information technology infrastructure through network tools and systems. We aim to enhance information security by consolidating business systems and information systems on integrated platforms. We further conduct cybersecurity awareness training for our employees.

We designed and assessed our program based on industry standards and framework, including ISO (“International Organization for Standardization”), NIST (“National Institute of Standards and Technology”), and ITIL (“Information Technology Infrastructure Library”). While this does not imply that we meet any particular technical standards, specifications or requirements, we use these industry standards and framework as a guide to assist us to identify, assess and manage cybersecurity risks relevant to our business.

We work with third party cybersecurity professionals to conduct security assessments of our enterprise-wide cybersecurity practices, including penetration testing, and identify areas for continuous improvement within the information security program.

Although we have implemented various measures to protect our information technology systems and mitigate cybersecurity threats, cybersecurity risk can never be eliminated, and we may from time to time be exposed to risks from cybersecurity threats. While we have not experienced any material cybersecurity threats or incidents as of the date of this Annual Report on Form 20-F, there can be no guarantee that we will not be the subject of future successful attacks, threats, or incidents that may materially affect us, including our business strategy, results of operations, or financial condition.

For more information regarding the risks associated with cybersecurity incidents, see “Item 3. Key Information—D. Risk Factors—Risks Related to Our Company and Our Industry—Interruption, security breaches or failures of information technology, control and communication systems could disrupt our business and expose us to liability” and “—Risks Related to Doing Business in China—Failure to comply with PRC regulations and other legal obligations concerning cybersecurity, privacy, data protection and informational security may materially and adversely affect our business, as we routinely collect, store and use data during the conduct of our business.”

Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management program includes several processes, including, but not limited to, the following:

●

Cybersecurity incident response plan. The plan outlines the processes and procedures that we should follow to respond to, remediate and resolve a security incident involving a potential or actual compromise of our digital information. The plan also describes the structure, roles and responsibilities of internal information technology personnel involved in responding to such incidents and provides a process for alerting management of such incidents. The cybersecurity incident response plan is reviewed on an annual basis and revised as necessary.

●

Incident detection and prevention. We have implemented and maintained technologies and solutions to assist in the prevention of potential cybersecurity incidents. These safeguards include, among other things, intrusion prevention and detection systems, software patch management, including anti-virus and anti-malware installations, and ongoing vulnerability assessments.

●

Internal user and third-party information technology access. We employ various security measures, including data encryption, firewalls, email security and network segmentation with access control lists to restrict data availability to authorized systems and networks.

●

Information technology change management and physical security. We implement safeguards, protocols and procedures to protect data integrity, device vulnerabilities and secure our information technology infrastructure through network tools and systems. We aim to enhance information security by consolidating business systems and information systems on integrated platforms. We further conduct cybersecurity awareness training for our employees.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

The board of directors oversees the Company’s risk management processes directly and through its committees. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas.

The Nominating and Corporate Governance Committee oversees management’s implementation of our cybersecurity risk management program. The Nominating and Corporate Governance Committee receives periodic reports from management on our cybersecurity risks. In addition, our management updates the Nominating and Corporate Governance Committee, as necessary, regarding any material cyber security incidents, as well as any incidents with lesser impact potential. The Nominating and Corporate Governance Committee reports to the full board of directors regarding its activities, including those related to cybersecurity.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Nominating and Corporate Governance Committee receives periodic reports from management on our cybersecurity risks.In addition, our management updates the Nominating and Corporate Governance Committee, as necessary, regarding any material cyber security incidents, as well as any incidents with lesser impact potential. The Nominating and Corporate Governance Committee reports to the full board of directors regarding its activities, including those related to cybersecurity.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our internal information technology personnel who support our information security program have relevant educational and industry experience, including holding similar positions at large companies.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true