Cybersecurity Risk Management Program

​

We recognize the importance of maintaining the integrity of our information technology systems and safeguarding the confidential business and personal information we receive and store about our employees, customers and suppliers.  We have a cybersecurity risk management program in place to identify, assess, and manage risks from cybersecurity threats.  Our cybersecurity risk management program is designed to employ industry best practices across our operations and business functions, including monitoring and analysis of the threat environment, vulnerability assessments, and third-party cybersecurity risks; detecting and responding to cyber attacks, cybersecurity incidents, and data breaches; cybersecurity crisis preparedness, incident response plans, and business continuity and disaster recovery capabilities; and investments in cybersecurity infrastructure and program needs.  Among the key features of our program are:

​

​

In addition to the third parties described above, we regularly engage consultants, advisors, service providers and other third parties to help test, develop and manage our cybersecurity risk management program.

​

Our cybersecurity risk management program includes technology and processes designed to maintain active security of our information technology systems.  We have not experienced a material cyber breach in the last three years.  We do not believe that any risks from cybersecurity threats of which we are currently aware, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.  However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us.  For additional information regarding the risks to the Company associated with cybersecurity incidents, see “In the event of a cybersecurity incident, we could experience operational interruptions, incur substantial additional costs, become subject to legal or regulatory proceedings or suffer damage to our reputation,” included in Part I, Item 1A (Risk Factors) of this Annual Report.

​

To help identify and manage cybersecurity risks associated with our use of third-party service providers, we have implemented processes to assess third-party systems which could be compromised in a manner that adversely impacts the Company and our technology systems.  In this regard, we conduct due diligence of significant third-party service providers who will have access to our information technology systems and incorporate cybersecurity protections in our engagement contracts with such providers.  In addition, we require such third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations.  Further, our external auditor reviews our processes designed to control access to our information technology systems as part of its assessment of our internal controls.

​

Incident Response Procedures

​

We have in place a cyber incident response plan outlining procedures to follow in the event of a cybersecurity incident.  Under the plan, we established a cross-functional critical response team (CRT) with expertise in various subject matter areas responsible for initiating and leading our incident response procedures.  The CRT is under the direction of our Chief Information Officer and is comprised of our Director of Information Technology, Chief Accounting Officer, Assistant General Counsel and Chief Compliance Officer, Senior Manager of Risk and Insurance, and certain other members of management.  The plan provides that our CRT will conduct an impact assessment in the event of a cybersecurity incident meeting pre-established criteria, or which may otherwise impact the operations or finances of the Company.  If any such cybersecurity incident is determined by the CRT to have the potential to materially impact the Company, such event would be elevated for further review and assessment by a senior leadership team consisting of our Chief Executive Officer, Chief Financial Officer, General Counsel and other members of our executive leadership team.  Under certain circumstances, such review and assessment would include reporting to and oversight of the Board.  

Governance

​

Our full Board is responsible for oversight of risks from cybersecurity threats, including our cybersecurity risk management program.  In carrying out its oversight responsibilities, the Board receives regular cybersecurity program updates and quarterly scorecard assessments from our Chief Information Officer, which cover topics related to information security, privacy and cyber risks, and our risk management processes, including the status of any recent cybersecurity events meeting specified criteria, the emerging threat landscape, and the status of capital investments in our information security infrastructure.