Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity incidents continue to become more prevalent requiring adequate and continuous assessment, identification, and management of material risks associated with cybersecurity threats. These risks include, among other things, disruption of our business processes and proprietary software, and potential unwanted disclosure of protected personal information which may cause harm to our employees, and clients, violations of privacy laws and regulations, breach of confidentiality and other contractual obligations, litigation and legal action, and financial and reputational harm. We utilize cybersecurity technologies and established procedures and processes to identify, assess, and manage these material cybersecurity risks.

Risk Assessments

Our Chief Information Officer (“CIO”) heads our technology team which establishes processes and procedures to assess technology related risks, including cybersecurity risks, to the Company. Protections we have in place include regular network monitoring, vulnerability assessments, and tabletop exercises to inform the company of potential risks and mitigation strategies. We also execute enterprise risk management assessments, which include cybersecurity threat risks.

Our CIO has reviewed the standards created by the National Institute of Standards and Technology and has incorporated their approaches where appropriate. We conduct internal and external risk assessments.

Our Board of Directors has ultimate oversight with respect to cybersecurity. At each regularly scheduled board meeting, the Board discusses the steps the Company has taken to ensure proper security. While we have not experienced material cybersecurity incidents in the past, our policies and procedures require us to inform the Board of any material incident.

Ongoing Activities

To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against, detect, and respond to cybersecurity incidents, we undertake the following activities:

●

All corporate machines are protected by anti-virus software and enterprise network protection;

●

We require two-factor authentication on all corporate machines;

●

We require two-factor authentication for all corporate email accounts;

●

We require all corporate employees to complete quarterly cybersecurity training provided by a third-party;

●

Our CIO and other members of our technology team proactively monitor all potential risks and immediately respond to threats;

●

Our data is backed up in multiple offline air-gapped devices;

●

We test all backups quarterly;

●

We monitor regulations to ensure our policies and procedures are up-to-date and compliant.

Incident Response

Our incident response plan identifies the key employees responsible for responding to a cybersecurity incident including our CIO, CLO, CEO, and other executives along with the technology department, and coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The Company has not experienced incidents in the past which were material to our operating results or business.

Third-Party Risk Management

Our polices and processes address cybersecurity threat risks associated with the use of third-party service providers, including those who access, use and/or store our client, candidate, associate and employee data or have access to our network and systems. Third-party risks are included within our enterprise risk management assessment program, as well as our information security-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform due diligence on third parties that have access to our systems, data or facilities that house such systems or data. This allows us to identify high-risk providers and continually monitor for cybersecurity threat risks appropriately. Additionally, we require contracts with all third parties that have access to our network and systems to include baseline security requirements for adequate data handling, as well as to provide the company with audit rights. Such contractual requirements are reviewed during each subsequent contract renewal process.

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity incidents continue to become more prevalent requiring adequate and continuous assessment, identification, and management of material risks associated with cybersecurity threats. These risks include, among other things, disruption of our business processes and proprietary software, and potential unwanted disclosure of protected personal information which may cause harm to our employees, and clients, violations of privacy laws and regulations, breach of confidentiality and other contractual obligations, litigation and legal action, and financial and reputational harm. We utilize cybersecurity technologies and established procedures and processes to identify, assess, and manage these material cybersecurity risks.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Chief Information Officer (“CIO”) heads our technology team which establishes processes and procedures to assess technology related risks, including cybersecurity risks, to the Company. Protections we have in place include regular network monitoring, vulnerability assessments, and tabletop exercises to inform the company of potential risks and mitigation strategies. We also execute enterprise risk management assessments, which include cybersecurity threat risks.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CIO has reviewed the standards created by the National Institute of Standards and Technology and has incorporated their approaches where appropriate. We conduct internal and external risk assessments.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true