Risk Management and Strategy

We assess, identify and manage material risks from cybersecurity threats through various protective policies, procedures and processes. These are embedded into our overall risk management system and extend to risks related to systems hosted by third parties.

We utilize external standards, such as the Center for Internet Security framework, as a starting point for the design and development of our systems that assess risk and mitigation measures. Helios is committed to achieving compliance with the CIS implementation group level 2 standards. However, this does not mean that we meet any particular technical standards, specifications, or requirements, but rather we use external standards as a guide to help us identify, assess and manage cybersecurity risks and threats relevant to our business. An annual risk assessment is completed and presented to the executive leadership team and the Company’s Board of Directors. We discuss changes to our policies, procedures and processes needed to address gaps identified through the assessment.

We engage in annual corporate-wide internal and external facing penetration tests, employing a battery of hacking tools to map out our assets and to assess vulnerabilities that could be exploited. In addition, we also extend such testing to newly acquired companies and assets as part of the integration process. This penetration testing is performed by a third party and is used to evaluate our current posture towards cybersecurity threats and to make adjustments, as needed, to protect our systems. The results are reviewed with the executive leadership team and the Company’s ESG Committee of the Board of Directors.

No risks from cybersecurity threats nor any previous cybersecurity incidents have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, but we cannot provide any assurance that they will not be materially affected in the future by such risks or incidents. For a discussion of

whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see “Risks Relating to Our Business: Other––Increased IT security threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks, products, solutions and services” in Item 1A, Risk Factors.

We maintain organizational safeguards that include employee training, business continuity planning and cybersecurity insurance. These safeguards are reviewed on an annual basis or more frequently as the business environment warrants and are adjusted as needed to account for changes in the Company and overall risk environment. Cybersecurity training is delivered to employees through a combination of online modules and, where role-specific needs or circumstances warrant, instructor-led classroom sessions. This approach ensures comprehensive training tailored to the requirements of various roles while maintaining flexibility and accessibility.

We incorporate technical safeguards such as Multi-Factor Authentication (“MFA”), principles of Zero Trust and password complexity policies for all accounts to help prevent unauthorized access to our systems and data. Additionally, we utilize XDR (Extended Detection and Response) installed on endpoints, along with our Security Operations Center (“SOC”) to manage real-time endpoint protection monitoring.

Corporate Governance

Role of the Helios Board of Directors

The ESG Committee addresses risks related to the global enterprise, including material risks facing the businesses, risks the Company may face in the future, measures that management has employed to address those risks and other information relating to how risk analysis is incorporated into the Company’s corporate strategy and day-to-day business operations. As part of this oversight function, the ESG Committee is responsible for overseeing cybersecurity-related risks. The ESG Committee includes cybersecurity topics in its quarterly updates to the full Board of Directors, which provides further oversight over our cybersecurity-related risks and the Company's strategies to address such risks. Reports to the Board of Directors and ESG Committee include comprehensive updates on the current cybersecurity risk landscape, the status of ongoing mitigation efforts, and emerging incident trends. Additionally, these reports cover updates on third-party risk assessments, progress on cybersecurity initiatives such as technology upgrades, regulatory compliance measures, and employee training programs.

Helios’ VP, Information Technology is an active member of InfraGard and has formal education in information technology with over 25-years’ experience in roles involving management of cybersecurity functions, cyber strategy, and leading and collaborating on information systems and related technologies. The VP, Information Technology receives regular updates on cybersecurity developments, results of mitigation efforts and cybersecurity incident response and remediation through monthly Advanced Threat Intelligence briefings and FBI bulletins via Infragard.