Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. In the ordinary course of our business, we receive, process and use large amounts of data. Digital data is stored and backed up with third party partners. Maintaining the integrity and availability of our information technology systems and this information, as well as appropriate limitations on access and confidentiality of such information, is important to our operations and business strategy. We implemented a program designed to assess, identify and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality and integrity of these systems and the data residing in them. With the exception of local point-of-sale solutions, we do not host any solutions on premise as all applications are software as a service.

The program is managed and monitored by a team led by our Chief Information Officer and includes mechanisms, controls, technologies, systems, policies and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the systems and data residing in them. For example, we conduct risk-based penetration and vulnerability testing and ongoing risk assessments. We also conduct employee training on cyber and information security, among other topics. In addition, we consult with outside advisors and experts to assist with assessing, identifying, and managing cybersecurity risks and their impact on our risk environment. Lastly, we outsource to a cybersecurity firm all intrusion detection, intrusion prevention and system incident and event monitoring.

Our Chief Information Officer, who reports directly to the Chief Executive Officer and has over 25 years of experience managing information technology and cybersecurity matters, together with our third-party service providers, are responsible for assessing and managing cybersecurity risks. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. In the last fiscal year, we have not identified any prior cybersecurity incidents that materially affected us, but we face certain ongoing risks from cybersecurity threats that, if realized, could materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Cybersecurity, Data Privacy and IT Systems.”

The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Committee receives regular updates and reviews with management the implementation and effectiveness of the Company’s controls to monitor and mitigate cybersecurity risks.