Table of Content ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Overall Process and Governance We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is integrated into our enterprise risk management program. This provides cross-functional and geographical visibility, as well as executive leadership oversight, to address and mitigate associated risks. We engage third party experts as well as our internal information technology ("IT”) audit group to audit our information security programs, and the results are reported to our executive management and the Audit Committee. In managing material risks from cybersecurity threats, we require that a security and technical architecture review is conducted for all new software and applications, and for all changes to the underlying IT infrastructure that manages, processes, stores, or transmits our data or data of our customers, vendors, suppliers, joint ventures, or employees. Any deviations from our IT security policies and standards are assessed by our IT security team. Any critical and high-risk levels are identified, documented and reported to relevant key stakeholders. We have established an Incident Response Plan that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. This plan requires the IT Security Manager to determine whether a cybersecurity incident has occurred and to communicate such findings to the Incident Response Team. The IT Security Manager is responsible for communicating incidents to the Vice President - IT and the other members of management as appropriate. If a cybersecurity incident is determined to be material by our management team, they would notify our Board of Directors. Our Vice President - IT and IT Security manager have developed expertise in cybersecurity, data protection, compliance, enterprise architecture and design, data analytics, and digital transformation through years of experience in the information technology space. Our Vice President - IT is designated as the senior executive responsible for cybersecurity and reports directly to our CFO. She and the IT Security manager have comprehensive information technology background with over 30 years of information technology experience. These individuals are responsible for the day-to-day implementation of our cybersecurity program. We have an established practice to oversee and manage third-party service providers in order to protect our interests related to cybersecurity threats. We utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework to identify, assess and manage our cybersecurity risks, including third-party risks. Our risk assessment involves analyzing and minimizing risk associated with outsourcing to third-party vendors or service providers. We continue to evaluate and enhance our systems, controls, and processes where possible, including responses to actual or perceived threats specific to us or experienced by other third-party vendors or service providers. The Audit Committee is responsible for the oversight of risks from cybersecurity threats. Our Vice President - IT and the IT security team update the Audit Committee on our cyber risk management program during each of its quarterly meetings. This update includes metrics on the effectiveness of technical and human security controls, cybersecurity training program compliance, internal and third-party cybersecurity incidents, and cybersecurity risks. The Audit Committee also receives a detailed annual update on our cybersecurity program and strategy including cybersecurity risks. Third Party Security Experts We engage third party security experts for cyber security assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. In addition, our third-party experts work with us to conduct cybersecurity tabletop exercises and internal phishing awareness campaigns. We use the findings of these exercises to improve our practices, procedures, and technologies. We also engage third party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage. Incidents & Risks To date, we have not experienced any material internal or external cybersecurity incidents and although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. For more information on our cybersecurity risks, see "Risks Related to Information Systems” identified in the "Risk Factors” section of Part 1 of Item 1A herein. 9
Form 10-K Page 13 Page 15