Item 1C. Cybersecurity
Risk Management and Strategy
As part of our overall enterprise risk management function, we have implemented and currently maintain various information security processes designed to assess, identify, and manage material risks from cybersecurity threats to our critical computer network, third-party hosted services, and our critical data (collectively, our “Information Systems”).
We have engaged an outside consultant that assists our efforts to prevent threats toward our Information Systems. This consultant monitors data feeds from certain of our key Information Systems. The consultant notifies and works with the Company to investigate and resolve any potential cybersecurity threats identified.
Internally, to help manage risk from potential cybersecurity threats, we require our employees to participate in mandatory cybersecurity trainings provided by a third-party specialist which focuses on building awareness of common tactics by threat actors, such as phishing. This training is provided on an annual basis.
All of our offices use our own gateway consoles, which have intrusion detection features built in. Additionally, access to our key Information Systems requires an in-office network or VPN with multi-factor authentication, and we employ additional protective measures including the use of our proprietary identity management tool. We also use third-party tools to protect our employee laptops and self-hosted servers and have implemented a public bug bounty program that helps to identify vulnerabilities in our products.
We and certain of our vendors have experienced cyber-attacks in the past and may experience cyber-attacks in the future. For example, as previously disclosed, we became aware in January 2021 that certain of our information technology systems hosted by a third-party cloud provider were improperly accessed and certain of our source code and the credentials used to access the information technology systems themselves had been compromised. We received a threat to publicly release these materials unless we made a payment, which we have not done. As a result, it is possible that the source code and other information could be publicly disclosed or made available to our competitors. Due to the nature of the source code and the other information that we believe was improperly accessed, we at this time do not believe that any public disclosure will have a material adverse effect on our business or operations, but it is impossible to gauge the precise impact of any such disclosure.
Except as described above, to date, risks from cybersecurity threats have not previously materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. For additional information about cybersecurity risks, see Item 1A. “Risk Factors.”
Governance
Role of the Board
Our Board of Directors (the “Board”) has the responsibility for the oversight of risk management, including those risks related to cybersecurity. Our Board holds strategic planning sessions with senior management to discuss strategies, key challenges, risks and opportunities for us. This involvement of our Board in setting our business strategy is a key part of its oversight of risk management, its assessment of management’s appetite for risk, and its determination of what constitutes an appropriate level of risk for us. Our senior management attends meetings of our Board and its committees on a quarterly basis, and as otherwise needed, and are available to address any questions or concerns raised by our Board on risk management and any other matters.
Role of Management
Our senior management, with the oversight of the Board, is responsible for the day-to-day management of the material risks we face, including those related to cybersecurity. We believe it is important to work cross functionally within the Company to manage cybersecurity risks and threats. Therefore, our cybersecurity team is made up of individuals from multiple different departments throughout the Company, including but not limited to our security, IT, R&D and legal teams. The cybersecurity team as a whole has academic degrees related to cybersecurity, technical know-how, and real-world experience managing cybersecurity incidents and risks. Material issues identified by our cybersecurity team are brought to the attention of our Chief Executive Officer and/or our Executive Vice President of Operations and Legal Affairs who in turn will update the Board, as necessary.