Risk Management

We manage significant and persistent cybersecurity risks due to the need to protect our business, including our intellectual property and intellectual property of others that is licensed for our use or to which we have access, our confidential information, personal information and information concerning our personnel and others with whom we conduct business. As with other technology companies, we occasionally face threats from actors who seek to disrupt our business as well as others who are engaging in malicious activities or for reputation damage. Disclose of certain information as a result of a cybersecurity breach may result in a breach of privacy laws. The substantial level of harm that could occur to us and our suppliers and customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services and components requires us to maintain robust governance and oversight of these risks and to implement mechanisms, technologies and processes designed to help us assess, identify, and eliminate these risks. The war with Iran can result in an additional level of cybersecurity risk as bad actors may seek to infiltrate and damage high tech Israeli companies such as us. Further, those seeking cripple Israeli companies may use artificial intelligence to both attack us and seek to penetrate our security.

While we have not, as of the date of this Form 20-F, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, we cannot assure you that we will not experience such an incident in the future. While we did suffer a cybersecurity incident in 2023 which did not result in any material adverse impact to our business, we did not experience any disclosure of our proprietary information, and following such incident we took additional steps to protect us from cybersecurity incidents.

Any cybersecurity incidents, whether or not successful, could result in our incurring additional costs related to, for example, rebuilding our internal systems, implementing additional threat protection measures, responding to regulatory inquiries or actions, paying damages or making payments to obtain access to our computer systems, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. We have seen an increase in cyberattack volume, frequency, and sophistication. We seek to detect and investigate unauthorized attempts and attacks against our network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, while diligently taking actions to eliminate and reduce cyber risks, we remain potentially vulnerable to known or unknown threats. In some instances, we, our suppliers, our customers, and the users of our products and services can be unaware of a threat or incident or its magnitude and effects. Further, there are increasing regulation requirements regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm.

{are we taking any steps to protect our operations in the event that our offices are hit by a drone or missile?}

Governance

We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies and other processes to assess, identify and manage material cybersecurity risks.

Our cybersecurity program is designed to be aligned with applicable industry standards, and we have engaged outside sources to assist us in this effort. We have processes in place to assess, identify, manage and address material cybersecurity threats and incidents. We have ISO 27001:2022 certification, which is a standard for information security management, as well as ISO 21434 certification for product security management. Steps taken by us include, among other things: yearly audits which are conducted by the company’s internal auditor (from 2023 through 2025) of the cybersecurity measures and practices of the Company, the engagement with professional service providers (such as a chief information security officer “CISO” and security operations center services “SOC”), ongoing security awareness training for employees; advanced solution for ZeroTrust access, mechanisms to detect and monitor unusual network activity; and containment and incident response tools.

We monitor issues that are internally discovered or externally reported that may affect our products and we have processes to assess these issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We are in the process of implementing additional technical and organizational security measures to follow our information security program.

Our CISO, who is a third party engaged by us, and our VP infrastructure, lead the strategy and guidelines, and work with senior management and IT engineering, to operate and guide for implementation of cybersecurity of the Company. The CISO is responsible for handling the cyber risk management by assessment, analysis, reporting, managing the cyber protection following the relevant requirements, the work with the Information Technology team, implementing information security awareness among the employees, and updating the company’s security policies. Our CISO provides annual analysis and updates to the management on our cybersecurity and information security policies and programs, as well as ad hoc updates on information security and cybersecurity matters. The CISO provides updates to the management, which provide updates to the Audit Committee on the Company’s cybersecurity policies, risks and mitigation strategies. In addition, and as part of our policy, our CISO is also responsible for informing the VP infrastructure of material cybersecurity threats and incidents, based on management’s assessment of risk. Our board of directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the Audit Committee. Under our cybersecurity governance framework the Audit Committee, in its charter, is empowered to implement and oversee our cybersecurity and information security policies and periodically review their compliance and mitigate potential cybersecurity threats. The Audit Committee is responsible for ensuring that management has in place processes designed to identify and assess cybersecurity risks, and implement processes and programs designed to manage and mitigate and remediate such risks and incidents. Both management and the Audit Committee also report material cybersecurity risks to our full board of directors, based on management’s assessment of risk.