FingerMotion, Inc. 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

FingerMotion, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 16:15:44 EDT.

Filings

10-K filed on 2024-05-29

FingerMotion, Inc. filed a 10-K at 2024-05-29 16:15:44 EDT
Accession Number: 0001520138-24-000219

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Globally, organizations are encountering cybersecurity incidents with growing frequency, and the nature of these threats is becoming more sophisticated and constantly changing.We recognize the importance of developing, implementing and maintaining strong cybersecurity policies and processes to protect our information systems and the confidentiality, integrity, and accessibility and availability of our data. Risk Management and Strategy Managing Material Risks & Integrated Overall Risk Management We have developed and maintained policies, procedures, and controls to mitigate material risks from cybersecurity threats, and assess and disclose information to investors concerning material cybersecurity incidents. Further, we have strategically integrated cybersecurity risk management into our broader risk management framework to promote awareness and attention to cybersecurity risk management company wide. These risks are evaluated on an ongoing basis as part of our overall risk management strategy that is monitored and tracked by our Risk and Information Security Committee, as well as through a separate cybersecurity assessment of the China IT platform opearated by our contractually controlled subsidiary, JiuGe Technology, which is required under PRC laws. The lead information technology manager (the “IT Manager”) of JiuGe Technology oversees this assessment, which is performed by a third party hired by JiuGe Technology and includes some government oversight, called the Multi-Level Protection Scheme (“MLPS”), the objective of which is to protect data and information systems from security threats. The assessment stratifies IT systems based on the risk and severity of potential security breaches related to the data handled and assesses the effectiveness of the systems in safeguarding against cyber threats. The MLPS includes attributes such as physical security, network security, host security, application security, and data security. The final MLPS report is submitted to the appropriate authorities, and the IT Manager also reviews this report with our CFO. Our CFO and the IT Manager report directly to the Risk and Information Security Committee to review the Company’s information security and cybersecurity risks, including but not limited to, the MLPS report. Despite these efforts, no system is impenetrable, and we cannot provide assurances that we will prevent every attack or timely detect every incident. Engage Third-parties on Cyber- Risk Management The Company currently engages third parties in connection with our China cybersecurity annual assessment overseen by our IT Manager, which is driven by risk ranking and assessment. Cybersecurity considerations for operations outside of China, which includes a small proportion of core functions as well as administrative functions, are incorporated in the Company’s overall risk assessment and will be considered in the overall SOX/controls management testing going forward when appropriate. Recognizing the importance of cybersecurity from both an operational and disclosure perspective, as well as the complexity and evolving nature of cybersecurity threats, we plans to revisit the link between China cybersecurity testing and FingerMotion’s consolidated cybersecurity risk assessment and consider potential enhancements. FingerMotion will consider resource and capital constraints when determining the nature and timing of enhancing our cybersecurity infrastructure. Overseeing Risks stemming from Third-Party Service Providers We maintain comprehensive internal protocols to mitigate cybersecurity threats associated with our use of third party service providers. We are currently enhancing these protocols to further strengthen our defenses and reduce potential vulnerabilities. -41- Table of Contents Risks from Cybersecurity Threats We do not currently identify any major cybersecurity threats that have materially affected or are reasonably likely to materially affect us (including our business strategy, results of operations, or financial condition). Governance Board of Directors Oversight Our Board of Directors recognizes the importance of information security and mitigating cybersecurity and other data security threats and risks as part of our efforts to protect and maintain the confidentiality and security of our customers, employee and vendor information, as well as non-public information about our Company. Although our full Board of Directors has ultimate responsibility with respect to risk management oversight, the Risk and Information Security Committee of our Board of Directors is charged with and bears primary responsibility for, among other matters, overseeing risks specific to the identification and mitigation of cybersecurity risks. Management’s Role Managing Risk The CFO and CEO play a pivotal role in informing the Risk and Information Security Committee on cybersecurity risks. The CFO will immediately notify the Risk and Information Security Committee and Board of Directors of any cybersecurity incident that is determined to be material. The CFO and CEO deliver focused updates to the Risk and Information Security Committee annually, or more frequently as needed, in response to specific incidents or emerging threats. These briefings encompass a broad range of topics, including: · Current cybersecurity landscape and emerging threats; · Status of ongoing cybersecurity initiatives and strategies; · Incident reports and learnings from any cybersecurity events; and · Compliance with regulatory requirements and industry standards. As we progress in the assessment and enhancement of our cybersecurity program, we plan to consider the following areas for enhancement and incorporation into the cybersecurity risk management and governance program in the future: · Oversight of Third-Party cybersecurity risk · Engaging/ outsourcing Risk management Personnel · Monitoring system/ procedures for cybersecurity incidents · Reporting to Board of Directors regarding cybersecurity risks and incidents Risk Management Personnel Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with the CEO, Mr. Martin Shen, and the CFO, Mr. Yew Hon Lee, working in close coordination with Mr. ShenJian, the IT Manager of our China Operations. Messrs. Shen and Lee have experience in overseeing IT Functions, including cybersecurity. Mr. ShenJian (the IT Manager) has 24 years of experience in technical work since graduating from Jiaotong University in June 2000 with a major in technology. His expertise is critical in designing, implementing, and executing our cybersecurity strategies. Our IT Manager oversees our governance programs in partnership with our CEO and CFO, oversees testing of our compliance with government standards in China, remediates known risks, and leads our employee training program around cybersecurity.

Company Information