The Technology, Data and Information Security Committee

As described more fully in its charter, the primary purpose of the Technology, Data and Information Security Committee is to assist the Board in fulfilling its oversight responsibilities with respect to our information technology use and protection, including review and oversight of our policies, plans and programs relating to enterprise cybersecurity and data protection risks associated with our products, services, information technology infrastructure and related operations.

In accordance with its charter, the Technology, Data and Information Security Committee must be comprised of a minimum of three Board members, appointed by the Board.

Our Board appoints the members of the Technology, Data and Information Security Committee annually and each member is to serve until his or her successor is duly appointed and qualified or until his or her earlier resignation or removal. Unless a Chair is elected by the full Board, the members may designate a Chair by majority vote of the full Committee membership.

The Technology, Data and Information Security Committee meets as necessary, but at least four times each year, to enable it to fulfill its responsibilities and duties as set forth in its charter. The Technology, Data and Information Security Committee may invite members of management or others to attend Committee meetings and provide pertinent information as the Committee may request on the issues being considered.

The Technology, Data and Information Security Committee reports its actions to the Board and keeps written minutes of its meetings, which are recorded and filed with our books and records.

The Technology, Data and Information Security Committee has the authority to conduct or authorize audits, investigations into or studies of matters within the Committee’s scope of responsibilities and duties, as more fully described in its charter. In carrying out its duties and responsibilities, the Committee has the authority to appoint, retain, compensate, terminate and oversee the work of any independent experts, consultants, legal counsel and other advisers and instruct such experts, consultants, legal counsel and advisers that they should report directly to the Committee on matters pertaining to the work performed during their engagement.

The Technology, Data and Information Security Committee will have sole authority to approve any reasonable fees and other retention terms of any expert, consultant, legal counsel or other adviser that is to be used by the Committee, such funding to be provided by the Company.

We encourage you to refer to the Technology, Data and Information Security Committee charter for a detailed listing of the actions that the Committee must take in order to fulfill its responsibilities and duties, including the following:

ENTERPRISE CYBERSECURITY

• Oversee and assess the quality and effectiveness of our cybersecurity team, technology, policies and procedures protecting our information technology systems, data, products and services across all business functions.

INCIDENT MONITORING AND RESPONSE

• Oversee and review periodically our controls to prevent, detect and respond to cyber-attacks or data breaches involving our information technology systems, data, products and services, taking into account the potential for external and internal threats to us and our customers, partners, vendors and employees.
• Review and approve on a periodic basis (but at least annually) our incident response plans, policies and frameworks, including policies for the escalation and reporting of significant security incidents to the Board, regulatory agencies and law enforcement, as appropriate.

DATA PRIVACY AND SECURITY

• Oversee our compliance with global data privacy and security regulations and requirements applicable to the data we receive, collect, create, use, process and maintain (including personal information and information regarding customers, partners and vendors) and assess the effectiveness of the systems, controls and procedures used by us to ensure compliance with applicable global data privacy and security regulations and requirements.

BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY

• Review periodically with management our business continuity and disaster recovery capabilities.
• Review and approve on a periodic basis (but at least annually) our business continuity and disaster recovery plans, policies and frameworks.

COMPLIANCE RISKS AND AUDITS

• In coordination with the Audit Committee, oversee our management of risks related to our information technology systems and processes, including privacy, network security and data security, and any audits of such systems and processes.

Product and Information Technology Strategies and Operational Plans

• Review our strategies and operational plans relating to the development, deployment, integration and servicing of products, services, applications and systems (including policies, procedures and controls related thereto) to identify and mitigate data security and privacy risks in such strategies and programs.

IT AND SECURITY FUNDING

• Oversee our funding and resourcing of our information technology and security functions.

INSURANCE

• In coordination with the Audit Committee, annually review the appropriateness and adequacy of our technology and cyber risk insurance coverage.

TECHNOLOGY LANDSCAPE AND TRENDS

• Monitor and discuss, with management, emerging security, data protection and privacy trends in the technology landscape.

The Technology, Data and Information Security Committee may exercise such additional powers and duties as may be reasonable, necessary or desirable, in the Committee’s discretion, to fulfill its duties under its charter. 

The Technology, Data and Information Security Committee reviews and assesses periodically, but at least annually, the adequacy of the Committee’s charter and recommends any modifications, if and when appropriate, to the Board for its approval.  The Committee periodically evaluates its own performance and reports the results of such evaluation to the Board.