RISK FACTORS.

Not required for a smaller reporting company.

Not applicable.

Cybersecurity Risk Management and Strategy

The Company has an information security program and procedures in place to protect, identify, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. The Company uses various security tools that help prevent, identify, investigate, resolve and recover from identified vulnerabilities and security incidents to protect our information systems and data from cybersecurity threats. This framework is implemented and overseen by management’s information security department which is led by the Information Technology (“IT”) Support Associate Director and overseen by the Company’s IT Steering Committee. The IT Support Associate Director has over twenty years of experience in technology management and cybersecurity. The IT Steering Committee is comprised of the Company’s two Associate IT Directors, the CEO, and CFO and convenes quarterly to review IT control policies and procedures are properly followed and any new employees were properly onboarded in compliance with security procedures.

The Company employs third party risk security vendors to identify, mitigate, and remediate cybersecurity risks; however, we rely on the third parties we use to implement security programs commensurate with their risks, and we cannot ensure in all circumstances that their efforts will be successful. An annual penetration test is performed in April, which is a security test that simulates a real-world threat to the Company’s IT network and includes comprehensive “Dark Web” searches of all domain user emails. The test performed by Connection (Data Partner) revealed no current cybersecurity breaches. Scans of the Company’s firewall are conducted during the first week of each quarter by third party vendor Contego. Any necessary remediation would also be provided by Contego after the scan, but none has been required. The Company uses SolarWinds with Sentinel One software from Contego to continually monitor technology systems for viruses, malicious software, executable harmful files, and other cybersecurity risks. The Company requires the annual submission of SOC 1 security certificates from our third-party vendors which have access to our financial and sales data. The Company also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity related incidents.

The Company recognizes that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, each employee is required to complete information security and data privacy training to build awareness of cybersecurity risks to the organization. The Company has engaged third party vendor Knowbe4 to send each employee an email that mimics a potentially harmful phishing attempt each month and to report to management the results of the phishing security test.

The Board of Directors are acutely aware of the critical nature of managing risks associated with cybersecurity threats. Each quarterly meeting, management presents a cybersecurity update which includes results of testing by third-party vendors and any suspected cybersecurity incidents to the entire Board of Directors. Management would report any material cybersecurity breach immediately to the full Board of Directors. The Company has a written policy for the employee reporting of any cybersecurity suspected incidents.

The Audit Committee of the Board has the primary responsibility to oversee effective governance in managing risks associated with cybersecurity threats. Our Audit Committee is composed of members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.