We maintain a comprehensive cyber risk management program designed to identify, assess, mitigate, and monitor cybersecurity threats across both our corporate and operational technology environments. This program is integrated within our IT and risk management systems and addresses both the corporate and the operational IT environment.

Our program is aligned with recognized industry standards, including the National Institute of Standards and Technology (the “NIST”), the Control Objectives for Information Technologies and ISO 27001, and is evaluated annually by our internal audit department against these frameworks.

Our information security practices emphasize strong governance, well-defined policies and continuous improvement to safeguard critical systems and data. We maintain a structured incident-response framework consistent with NIST guidelines, ensuring that any security events are promptly identified, assessed, and escalated to the appropriate leadership. Our incident response framework applies to our personnel, including contractors and partners that perform functions or services that require securing our information assets, and to all devices and networks that we own. The response framework details the coordinated, multi-functional approach for investigating, containing, and mitigating incidents. This process supports coordinated decision-making and maintains clear communication with senior management and our board of directors when necessary. Cybersecurity incidents are escalated based on predefined criteria to our Chief Information Officer (“CIO”) & Chief Information Security Officer (“CISO”), General Counsel, senior leadership, and, when appropriate, the Audit Committee and our board of directors.

We require all employees to complete mandatory security training during onboarding and annual refresher training thereafter. We also engage qualified third-party partners to support key cybersecurity functions, including managed detection and response, antivirus monitoring, penetration testing, and other specialized services. We maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under our third-party assessment process, we gather information from certain third parties who contract with us and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any issues that may affect us.

While cybersecurity threats remain an inherent risk to all organizations and we face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation, our robust risk management strategies have been effective. Accordingly, to our knowledge, over the past three years we have not experienced any material cybersecurity incidents, and such risks have not materially affected and are not reasonably likely to materially affect, our business strategy, results of operations or financial condition. We continue to monitor and strengthen our defenses as part of our ongoing commitment to protecting our business operations, financial performance, and reputation.

We maintain a comprehensive cyber risk management program designed to identify, assess, mitigate, and monitor cybersecurity threats across both our corporate and operational technology environments. This program is integrated within our IT and risk management systems and addresses both the corporate and the operational IT environment.

Oversight of our cybersecurity program is provided by the Audit Committee of the board of directors. Executive leadership, including the CIO & CISO provides regular updates—at least quarterly—on cybersecurity risks, program maturity, and mitigation strategies. Additionally, all members of the board of directors attend quarterly training sessions through internal and external IT specialists, which include review of IT whitepapers, presentations, and other learning materials. Each of the members of the board of directors has also completed certificated training concerning IT security, IT fraud, and other common enterprise-level IT threats.

Our CIO & CISO brings extensive experience in both Information Technology and Operational Technology security and holds the following professional certifications:

In addition to these credentials, our CIO & CISO is an active member of InfraGard, ISC2, and ISACA, and serves as an advisory board member for multiple cybersecurity industry organizations.