Item 1C. Cybersecurity

Our Processes Regarding Cybersecurity Threats

We apply a layered approach, or a defense-in-depth strategy to cybersecurity. This layered approach to security leverages governance, people, processes, and technology to provide our information technology (“IT”) teams with preventative measures and strategies such that they are prepared to respond to cybersecurity threats and incidents.

We have process, controls and technology infrastructure to maintain, protect, and enhance existing systems and design new systems to keep pace with continuing changes in technology, evolving industry and regulatory standards, and emerging cybersecurity and data security risks.

We collect, process, and analyze threat intelligence data from a variety of sources to understand motives, targets, and attack behaviors.

Another aspect of our security program is vulnerability management, which includes, among other things, asset discovery and inventory, third-party vulnerability scanners, patch management and remediation, configuration management, as well as penetration testing.

We have monitoring systems which are designed to identify potential cybersecurity events, including threats and incidents. These monitoring systems are managed by our Global Security Operations Center, which employs cybersecurity professionals in the United States and in certain foreign countries in which we operate to provide better coverage and response actions.

We also use a Security Information and Event Management (SIEM) platform, providing real-time analysis of security alerts generated by applications and network hardware. This platform helps the Global Security Operations Center in monitoring and responding to security events.

We have a multi-functional incident response plan which provides guidance in the event of a cybersecurity incident. The plan is managed by our Incident Management Team, which includes representation from our Global Security, Cybersecurity, Legal, and Finance departments, among others. The Incident Management Team is responsible for responding to an incident, including tasks such as identifying and assessing the nature of the incident, containing the incident, and coordinating with relevant departments. Depending on the nature or severity of the event, the Incident Management Team may escalate the matter to our Executive Leadership Team, which includes the Chief Executive Officer, Chief Operating Officer, Chief Information Security Officer, Chief Financial Officer, General Counsel, and other executives. If necessary, the matter could be escalated to our Board of Directors or any appropriate Board committees, including the Audit Committee, which has oversight responsibility for cybersecurity risk. This structured governance approach is designed to manage cybersecurity incidents with participation and involvement with the appropriate levels of our organization.

External and internal audits are conducted periodically to assess the effectiveness of our cybersecurity measures. These audits include an annual technology risk assessment by our Cybersecurity and IT departments. Our Internal Audit team also conducts cybersecurity risk assessments which include, among other things, evaluating governance of our cybersecurity processes and functions, assessing our ability to identify, validate and remediate vulnerabilities, and evaluating penetration studies. Results of our Internal Audit assessments are shared with our Enterprise Risk Management (“ERM”) team, our Technology Risk Committee, and in accordance with our governance structure which includes, among other things, the Audit Committee of our Board of Directors.

We conduct vendor security assessments for key service providers including as part of our vendor onboarding process and as part of our contract review process. The cybersecurity assessment process includes considerations from an industry leading third-party vendor security ratings company.

Our standard agreements with third parties may include, among other provisions, compliance requirements, data protection standards, audit rights, and security incident notification requirements. A dedicated email account and hotline is in place for third parties to report security incidents. The email account and hotline are monitored 24/7/365 by our Global Security Operations Center. Notice of a third-party security incident could trigger the activation of our incident response plan, as further described above.

Cybersecurity Governance and Risk Management Systems

Risks from Cybersecurity Threats

As of December 31, 2024 and as of the date of this filing, we are not aware of any risks from cybersecurity threats, including any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. This statement does not guarantee that future incidents or threats will not have a material impact or that we are not currently the subject of an undetected incident or threat that may have such an impact.

Our cybersecurity risk management process is integrated with our overarching risk management system, led by our ERM team, and further guided by our Technology Risk Committee. Our Technology Risk Committee is responsible for reviewing and approving the effectiveness of our cybersecurity risk framework and assisting with the oversight of decisions that affect compliance with applicable legal and regulatory matters and corporate policies. As part of the management oversight structure, the ERM team provides our Management Risk Committee with periodic updates on key risk conditions, strategy and mitigation efforts.

Our risk management system includes several risk management functions that support our processes for identifying, assessing, and controlling risks to our business, including cybersecurity risks.

We have identified and, in some cases, engaged, third-party experts to allow for quicker engagement if a cybersecurity incident occurs in the future.

Our Cybersecurity department is staffed with professionals holding a variety of IT, cybersecurity and audit best practice certifications, including, among others, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), International Organization for Standardization 27001 Lead Auditor Certification (ISO 27001 LA), Certified Information Privacy Professional (IAPP CIPP/CIPM), Alibaba Cloud’s Cloud Security Certification (Ali-ACP), and Certified in Risk and Information Systems Control (CRSC). Our Cybersecurity department also has a training and development program in place so that appropriate skillsets are maintained and/or acquired, and professional certifications remain current.