Vista Outdoor Inc. 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

Vista Outdoor Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 16:07:57 EDT.

Filings

10-K filed on 2024-05-29

Vista Outdoor Inc. filed a 10-K at 2024-05-29 16:07:57 EDT
Accession Number: 0001616318-24-000061

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of being able to assess, effectively respond to, and manage material cybersecurity threats and incidents that may compromise the confidentiality, integrity or availability of our information systems, data, or network resources. To address these concerns, we have developed and implemented company-wide policies and procedures to help raise awareness of, identify, assess, and manage cybersecurity threats. Our Information Security organization has primary responsibility for the implementation of our cybersecurity policies and procedures and the management of our responses to information technology and security risks, including risks related to cybersecurity threats. Risk Identification and Assessment Risk identification is managed through Information Technology (“IT”) programs and service providers that specialize in identifying such risks, employee training, and information security policies. We utilize third-party monitoring services that monitor our vendor relationships for cybersecurity-related issues as well as a third party for vulnerability scanning and monitoring of our environments. The cybersecurity team annually conducts internal and external penetration testing with outside third-party cybersecurity experts. Employee training programs reinforce our information security policies, standards and practices, as well as the expectation that employees comply with these policies. We also train employees on how to identify potential cybersecurity risks and protect our resources and information. Training is mandatory for all relevant employees, on a periodic basis, and is supplemented by company-wide testing initiatives, including periodic phishing tests. We also require relevant employees to take periodic awareness training on data privacy, which includes information about pertinent laws, confidentiality, and security, as well as how to effectively report and respond to unauthorized access to or use of personal information Risk Management Based on the risk and impact assessment mentioned above, the Information Security organization forms an Incident Response Team to identify the key responders for the security incident and maintain engagement and communication throughout the incident lifecycle, which may include, among other things, containment, eradication, recovery, and a review of lessons learned. In addition to the Incident Response Team, we have also formed a Cybersecurity Committee that is notified of information security incidents for the purposes of assessing the potential materiality of any such incident. The Cybersecurity Committee consists of management and other representatives of our IT, Finance, Legal, and Internal Audit teams with assistance of third-party consultants and outside legal counsel as appropriate. When necessary, the Cybersecurity Committee will bring matters to the attention of the Audit Committee of the Board of Directors as discussed more fully below. Risks Related to Third-party Service Providers To manage cybersecurity risks related to third-party service providers, we conduct security assessments of certain third-party providers before engagement and have established monitoring procedures related to data breaches or other security incidents originating from third parties. To assist in this effort, we may from time to time engage third-party consultants, legal advisors, and audit firms to evaluate and test our risk management systems and assess and remediate certain potential cybersecurity incidents as appropriate. Risks from Cybersecurity Threats To date, we have not identified risks from cybersecurity threats or incidents, including as a result of any previous cybersecurity incidents, that have materially affected the Company or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and there can be no assurance that our cybersecurity risk management policies and procedures will be fully implemented, complied with or successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect our business strategy, results of operations, or financial condition, please refer to " Item 1A Risk Factors- Legal and Regulatory Risks - If our efforts to protect the security of personal information about our customers and consumers are unsuccessful and unauthorized access to that personal information is obtained, or we experience a significant disruption in our computer systems or a cybersecurity breach, we could experience an adverse effect on our operations, we could be subject to costly government enforcement action and private litigation and our reputation could suffer." Governance Board of Directors Oversight Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee, oversight of cybersecurity and other information security risks. The Audit Committee receives presentations at least annually regarding our enterprise risk management program, including reports from our Vice President of Internal Audit and our head of Information Technology, on information security matters (such as cybersecurity risk and developments), as well as the steps management takes to monitor and control such exposures. Management’s Role in Managing Risk and Monitoring Incidents The leaders of our Information Security organization are responsible for assessing and managing our material risks from cybersecurity threats and supervision of both our internal information security personnel and our retained external cybersecurity consultants. Other members of our management team, including those from legal, finance, and internal audit, supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants we engage; and alerts and reports produced by security tools deployed in the IT environment. Our Cybersecurity team has extensive years of collective experience and members hold multiple certifications, including CISSP, CCNP, CISA, and CySA+.

Company Information