PETMED EXPRESS INC 10-K Cybersecurity GRC - 2024-06-14

Page last updated on July 16, 2024

PETMED EXPRESS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-14 08:30:34 EDT.

Filings

10-K filed on 2024-06-14

PETMED EXPRESS INC filed a 10-K at 2024-06-14 08:30:34 EDT
Accession Number: 0001040130-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have an enterprise-wide information security program designed to assess, identify, and manage the Company’s information security risks and identify, evaluate, respond to and resolve information security incidents. To protect our information systems from information security incidents, we use various processes and tools to identify, prevent, detect, escalate, investigate, resolve and recover from identified vulnerabilities and threats. These include, but are not limited to, reporting, monitoring and detection tools that are widely used in the industry, and internal solutions. We have an enterprise-wide Incident Response Policy and Incident Response Procedure, which outlines the various points and detailed processes and procedures to be followed when a suspected incident is identified. The overall Incident Response Objectives are to: a. Accurately investigate and validate the incident b. Minimize damage or loss of data and services for the Company, our clients, users,employees, and other potentially affected individual data subjects, as appropriate c. Preserve and/or collect evidence pursuant to the incident in a legally sound manner d. Quickly restore data and services e. Review evidence to determine next steps, including notifications where necessary or advisable 22 f. Document and implement post incident actionable recommendations to prevent incident reoccurrence and improve the incident response process We assess our cybersecurity maturity and readiness utilizing the CIS (Center for Internet Security) Critical Security Controls, and measure our ongoing progress against this framework to identify areas of opportunity for improvement to our overall cybersecurity readiness. We continually evaluate cybersecurity threats and our ability to monitor for or mitigate against these threats based on information from our vendors, partners, and our own internal research and exposures. As we are undergoing multiple system upgrades and digital transformation efforts, we will be further evaluating and implementing security measures and best practices in our new systems as we phase out legacy systems. We conduct regular scans, penetration, and vulnerability testing as part of our overall security practice, and as part of our Payment Card Industry Digital Security Standard (PCI-DSS) compliance. Our auditors perform an independent analysis on parts of our information security practices, predominantly in their assessment of our PCI compliance. We regularly conduct cybersecurity training for our employees, including training for some of the most common breach vectors seen in the industry. For our key partners who help develop or key vendors who provide information systems or have access to our information systems, we require security training or review their information security practices. We from time to time use our Incident Response Procedures to respond to potential cybersecurity incidents and threats, as our systems and users identify areas of potential incidents during the course of normal operations, none of which to date we believe have been material. We cannot provide assurance that there will not be future incidents that may materially impact us, our financials, our strategy, or our operations. For more cybersecurity risks, see “Our failure or the failure of third-party service providers to protect our websites, networks, and systems against cybersecurity incidents, or otherwise to protect our confidential information, could damage our reputation and brands and substantially harm our business, financial condition, and results of operations” under Item 1A “Risk Factors.” The Company’s Board of Directors, as a whole, has oversight responsibility for our strategic and operational risks. The Audit Committee of the Board of Directors is responsible for board-level oversight of cybersecurity risk, and the Audit Committee regularly reports risks and compliance actions to the Board. As part of its’ oversight role, the Audit Committee receives reporting about the Company’s strategy, programs, incidents and threats, and other developments and action items. These action items include receiving updates on the status of remediation efforts for any non-compliance or risk items related to cybersecurity regularly throughout the year, including through periodic updates from management.

Company Information