Revelyst, Inc. 10-K Cybersecurity GRC - 2024-06-28

Page last updated on July 16, 2024

Revelyst, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-28 17:02:44 EDT.

Filings

10-K filed on 2024-06-28

Revelyst, Inc. filed a 10-K at 2024-06-28 17:02:44 EDT
Accession Number: 0001943705-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of being able to assess, effectively respond to, and manage material cybersecurity threats and incidents that may compromise the confidentiality, integrity or availability of our information systems, data, or network resources. To address these concerns, we plan to develop and implement company-wide policies and procedures to help raise awareness of, identify, assess, and manage cybersecurity threats. Our Information Security organization will have primary responsibility for the implementation of our cybersecurity policies and procedures and the management of our responses to information technology and security risks, including risks related to cybersecurity threats. Risk Identification and Assessment Risk identification will be managed through Information Technology (“IT”) programs and service providers that specialize in identifying such risks, employee training, and information security policies. The cybersecurity team will conduct internal and external penetration testing with outside third-party cybersecurity experts. Employee training programs will be used to reinforce our information security policies, standards and practices, as well as the expectation that employees comply with these policies and to train employees on how to identify potential cybersecurity risks and protect our resources and information. Risk Management Our Information Security organization will be responsible for identifying the key responders for each security incident and maintaining engagement and communication throughout the incident lifecycle, which may include, among other things, containment, eradication, recovery, and a review of lessons learned. When necessary, the Information Security team will involve members of management and other representatives of our IT, Finance, Legal, and Internal Audit teams, with assistance of third-party consultants and outside legal counsel as appropriate, to assist in assessing the potential materiality of a cybersecurity incident. When necessary, these matters will be brought to the attention of the Audit Committee of the Board. Risks Related to Third-party Service Providers To manage cybersecurity risks related to third-party service providers, we plan to conduct security assessments of certain third-party providers before engagement and will establish monitoring procedures related to data breaches or other security incidents originating from third parties. To assist in this effort, we may from time to time engage third-party consultants, legal advisors, and audit firms to evaluate and test our risk management systems and assess and remediate certain potential cybersecurity incidents as appropriate. Risks from Cybersecurity Threats To date, we have not identified risks from cybersecurity threats or incidents, including as a result of any previous cybersecurity incidents, that have materially affected the Company or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity 33 Table o f Contents threats and incidents continue to increase, and there can be no assurance that our cybersecurity risk management policies and procedures will be fully implemented, complied with or successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect our business strategy, results of operations, or financial condition, please refer to “Item 1A Risk Factors- Risks Related to the Revelyst Business- If Revelyst’s efforts to protect the security of personal information about Revelyst’s customers and consumers are unsuccessful and unauthorized access to that personal information is obtained, or Revelyst experiences a significant disruption in Revelyst’s computer systems or a cybersecurity breach, such as the ransomware attack experienced by Fox Racing in April 2021 prior to being acquired by Revelyst, Revelyst could experience an adverse effect on its operations, Revelyst could be subject to costly government enforcement action and private litigation and Revelyst’s reputation could suffer.” Governance Board of Directors Oversight The Revelyst Board is expected to receive an annual report on the enterprise risk management review overseen by the Revelyst Audit Committee, which will include, among other things, an evaluation of cybersecurity risks (including cybersecurity risks that Revelyst may have exposure to via its suppliers and service providers), mitigation efforts, incident response preparedness and adequacy of internal controls. In addition, the Revelyst Board is expected to receive in-depth updates from Revelyst’s information technology team on cybersecurity risks on a regular basis. Management’s Role in Managing Risk and Monitoring Incidents The leaders of our Information Security organization will be responsible for assessing and managing our material risks from cybersecurity threats and supervision of both our internal information security personnel and our retained external cybersecurity consultants. Other members of our management team, including those from legal, finance, and internal audit, will supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants we engage; and alerts and reports produced by security tools deployed in the IT environment. The management team anticipated to have primary responsibility for assessing and managing Revelyst’s cybersecurity risks have extensive years of collective experience on the subject and members hold multiple certifications, including CISSP, CCNP, CISA, and CySA+.

Company Information