Stemtech Corp 10-K Cybersecurity GRC - 2024-07-10

Page last updated on August 21, 2024

Stemtech Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-10 15:01:13 EDT.

Filings

10-K filed on 2024-07-10

Stemtech Corp filed a 10-K at 2024-07-10 15:01:13 EDT
Accession Number: 0001683168-24-004736

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We currently have security measures in place to protect our clients, customers, employees,‌ and vendor information and prevent data loss and other security breaches. We also only use third party software for accounting, billing and payroll that have successful SOC 1 type 2 compliance. Both management and the Board are actively involved in the continuous assessment of risks from cybersecurity threats, including prevention, mitigation, detection, and remediation of cybersecurity incidents. Our current cybersecurity risk assessment program consists of an annual review of our risks and policies. The program outlines governance, policies and procedures, and technology we use to oversee and identify risks from cybersecurity threats. Our President & COO and CEO are responsible for overseeing our business operations and are responsible for day-to-day assessment and management of risks from cybersecurity threats, including the prevention, mitigation, detection, and remediation of cybersecurity incidents. We also use the services of an outside consulting firm to monitor activity and advise the company of cybersecurity protocols. We routinely undertake activities to prevent, detect, and minimize the effects of cybersecurity incidents, including an annual risk review, policy reviews and revisions. In addition, we maintain business continuity, contingency, and recovery plans for use in the event of a cybersecurity incident by the administering of local and cloud based back up of files. and emails. We engaged and used the advice of a third-party consultant to help us assess and identify risks from cybersecurity threats, including the threat of a cybersecurity incident, and manage our risk assessment program. Among other things, these providers have recommended periodic evaluations of the work stations. We have multiple controls in place in order to prevent breaches, some of these controls include: a. FMA/2FA, this is our first AND most important first line of defense, no one should have MFA bypassed or disabled, with no exceptions. b. Email Banner for external emails. This banner assists us to identify any phishing / impersonation email and cannot be bypassed. c. Conditional Access Policy (CAP): Rejects connections to Exchange Online from un-authorized countries. We are further enhancing this control by implementing ACL’s (access lists) in our CRM and ERP systems and any other mission critical platform. ALL platforms should have MFA enforced, any platform not supporting MFA in 2024 is deemed high-risk and immediately replaced as it is obsolete and poses high-risk to the Company. As of the date of this report, no cybersecurity incident (or aggregation of incidents) or cybersecurity threat has materially affected our results of operations or financial condition. However, an actual or perceived breach of our security could damage our reputation and cause existing Independent Business Partners (IBPs or distributors) / customers to discontinue, as well as prevent us from attracting new clients / customers. and / or subject us to third-party lawsuits, regulatory fines or other actions or liabilities, any of which could adversely affect our business, operating results or financial condition. We currently do not carry a cyber liability insurance policy, but are evaluating whether to acquire one to mitigate any financial impact of a cybersecurity breach.

Company Information