Page last updated on July 16, 2024
Value Exchange International, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-16 10:46:26 EDT.
Filings
10-K filed on 2024-07-16
Value Exchange International, Inc. filed a 10-K at 2024-07-16 10:46:26 EDT
Accession Number: 0001214659-24-012449
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C - Cybersecurity below at page 27. 24 Regulations Inapplicability of the 2012 JOBS Act We do not qualify as an “Emerging Growth Company” and do not qualify for any of the reduced or delayed disclosure options available to an Emerging Growth Company and as summarized below. The JOBS Act provides scaled disclosure provisions for an eligible Emerging Growth Company, including, among other things: (a) permitting an Emerging Growth Company to include only two years of audited financial statements in a registration statement filed under the Securities Act for an initial public offering of common equity securities; (b) allowing an Emerging Growth Company to comply with the smaller reporting company version of Item 402 of Regulation S-K (Executive Compensation); and (c) removing the requirement that our independent registered public accounting firm attest to the effectiveness of Emerging Growth Company’s internal control over financial reporting in accordance with Section 404(b) of the Sarbanes-Oxley Act of 2002. The JOBS Act also exempts an Emerging Growth Company from the following additional compensation-related disclosure provisions that were imposed on U.S. public companies pursuant to the Dodd-Frank Act: the advisory “say-on-pay” vote on executive compensation required under Section 14A(a) of the Exchange Act; the Section 14A(b) requirements relating to shareholder advisory votes on golden parachute compensation; the Section 14(i) requirements for disclosure relating to the relationship between executive compensation and financial performance of the issuer; and the requirement of Dodd-Frank Act Section 953(b)(1), which will require disclosure as to the relationship between Chief Executive Officer and median employee pay. Under Section 102(b)(1) of the JOBS Act, “Emerging Growth Companies” can also delay adopting new or revised accounting standards until such time as those standards apply to private companies. Climate change Disclosure Rules. The Company did not experience any direct, material impact on business and financial condition in 2023 from pending or existing climate-change related legislation, regulations, and international accords in the U.S., the physical impacts of climate change, or perceived indirect material impact from business trends. On March 6, 2024, the Commission adopted final rules to require registrants to disclose certain climate-related information in registration statements and Form 10-K annual reports. The Company is uncertain as of the date of the filing of this Form 10-K on the impact of these new rules on the Company. On March 15, 2024, the U.S. Fifth Circuit Court of Appeals granted an administrative stay of the Commission’s new climate change disclosure rules. 25 ITEM 1B. UNRESOLVED STAFF COMMENTS. None. ITEM 1C. CYBER SECURITY The Company manages cybersecurity and data protection through a continuously evolving framework. The framework is intended to allow us to identify, assess and mitigate the various risks we face, and assists us in establishing policies and safeguards, which are modified as new cybersecurity risks and incidents occur, to protect our systems and the information of those we serve. Our cybersecurity program is managed by our Chief Information Security Officer. The Audit Committee of the Board of Directors has oversight of our cybersecurity policy and is responsible for reviewing and assessing the Company’s cybersecurity risk management, procedures and resource commitment, including key risk areas and mitigation strategies. As part of this process, the Audit Committee receives regular updates from the Chief Information Security Officer on critical issues related to our information security risks, cybersecurity strategy, supplier risk and business continuity capabilities. The Company’s framework includes an incident management and response program that monitors the Company’s information systems for vulnerabilities, threats and incidents; manages and takes action to contain incidents that occur; remediates vulnerabilities; and communicates the details of threats and incidents to management, including the Chief Information Security Officer, as deemed necessary or appropriate. Pursuant to the Company’s incident response plan, incidents are reported to the Audit Committee, appropriate government agencies and other authorities, as deemed necessary or appropriate, considering the actual or potential impact, significance and scope. We work to require our third-party partners and contractors to handle data in accordance with our data privacy and information security requirements and applicable laws. We regularly engage with our suppliers, partners, contractors, service providers and internal development teams to identify and remediate vulnerabilities in a timely manner and monitor system upgrades to mitigate future risk, and ensure they employ appropriate and effective controls and continuity plans for their systems and operations. To ensure that our program is designed and operating effectively, we perform regular vulnerability assessments and penetration tests to improve system security and address emerging security threats. We complete an enterprise information risk assessment as part of our overall enterprise information security risk management assessment, which is overseen by our Chief Information Security Officer. This risk assessment is a review of internal and external threats that evaluates changes to the information risk landscape to inform the program enhancements to be made in the future to rapidly respond and recover from potential attacks, including rebuild and recovery protocols for key systems. We evaluate our enterprise information security risk to ensure we address any unexpected or unforeseen changes in the risk environment or our systems and the resulting impacts are communicated to the Company’s overall enterprise risk management program. We believe our Chief Information Security Officer, who has over 20 years of experience managing information technology and cybersecurity matters, has the appropriate knowledge, experience and expertise to effectively manage our cybersecurity program. The Board of Directors has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives regular updates on cybersecurity and information technology matters and related risk exposures from our Chief Information Security Officer as well as other members of the senior leadership team. The Board also receives periodic updates from management and the Audit Committee on cybersecurity risks. As of December 31, 2023, the Company had not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but there can be no assurance that any such risk will not materially affect the Company in the future, especially in light of the continuing efforts of sophisticated hackers to develop new means, and more effective versions of existing means, accessing and fraudulently exploiting companies’ computer and network systems and communications systems. For further information about the cybersecurity risks we face, and potential impacts, see Part I, Item 1A, “Risk Factors.” 26 April 2024 Email Spoofing Incident. At 10:25 p.m., local Hong Kong SAR time, on April 9, 2024, the Company received information that indicated a possible email spoofing incident involving a wire transfer payment of accounting fees owed to the Company’s public auditor. By April 11, 2024, the Company verified that the Company had wired $30,825 as an intended payment of accounting fees owed to the public auditor to a third-party bank account on March 27, 2024, as a result of email spoofing presenting an invoice under the identity of the public auditor. An internal incident report was distributed by the Company’s Chief Information Security Officer about this email spoofing incident to Company’s senior officers, finance department personnel, Audit Committee and the Board. Based on conversations with Company’s bank and local law enforcement, the Company does not believe that recovery of the $30,825 payment is possible. As a result of an internal review of this email spoofing incident involving the senior officers of the Company, the Company’s Chief Information Security Officer and Company’s Audit Committee, the Company adopted the following actions as of April 12, 2024: - Only verified email addresses allowed for incoming and outgoing emails by the Company email system; - Briefing company personnel about the incident and cybersecurity safeguard measures adopted; - Overall enterprise information security risk management assessment, overseen by our Chief Information Security Officer, to determine any additional safeguards, both technology based and internal processes, for email spoofing and related cybersecurity risks; and - Established regular cybersecurity and information technology matters and related risk exposure reports and briefings of Audit Committee. The Company does not believe the April 2024 email spoofing incident was “material” due to the limited amount of money involved and the corrective measures adopted to prevent future incidents of a similar nature. The Company identified another email spoofing effort in May 2014 by a scammer pretending to be one of the Company’s subsidiaries and asking an existing customer for payment owed to the subsidiary to be sent to the scammer’s bank account. This effort was detected by the Company and the customer and no money was sent to the scammer’s bank account. Company or its legal counsel filed reports of these incidents with appropriate regulatory and enforcement agencies in the appropriate jurisdictions.
ITEM 1C. CYBER SECURITY The Company manages cybersecurity and data protection through a continuously evolving framework. The framework is intended to allow us to identify, assess and mitigate the various risks we face, and assists us in establishing policies and safeguards, which are modified as new cybersecurity risks and incidents occur, to protect our systems and the information of those we serve. Our cybersecurity program is managed by our Chief Information Security Officer. The Audit Committee of the Board of Directors has oversight of our cybersecurity policy and is responsible for reviewing and assessing the Company’s cybersecurity risk management, procedures and resource commitment, including key risk areas and mitigation strategies. As part of this process, the Audit Committee receives regular updates from the Chief Information Security Officer on critical issues related to our information security risks, cybersecurity strategy, supplier risk and business continuity capabilities. The Company’s framework includes an incident management and response program that monitors the Company’s information systems for vulnerabilities, threats and incidents; manages and takes action to contain incidents that occur; remediates vulnerabilities; and communicates the details of threats and incidents to management, including the Chief Information Security Officer, as deemed necessary or appropriate. Pursuant to the Company’s incident response plan, incidents are reported to the Audit Committee, appropriate government agencies and other authorities, as deemed necessary or appropriate, considering the actual or potential impact, significance and scope. We work to require our third-party partners and contractors to handle data in accordance with our data privacy and information security requirements and applicable laws. We regularly engage with our suppliers, partners, contractors, service providers and internal development teams to identify and remediate vulnerabilities in a timely manner and monitor system upgrades to mitigate future risk, and ensure they employ appropriate and effective controls and continuity plans for their systems and operations. To ensure that our program is designed and operating effectively, we perform regular vulnerability assessments and penetration tests to improve system security and address emerging security threats. We complete an enterprise information risk assessment as part of our overall enterprise information security risk management assessment, which is overseen by our Chief Information Security Officer. This risk assessment is a review of internal and external threats that evaluates changes to the information risk landscape to inform the program enhancements to be made in the future to rapidly respond and recover from potential attacks, including rebuild and recovery protocols for key systems. We evaluate our enterprise information security risk to ensure we address any unexpected or unforeseen changes in the risk environment or our systems and the resulting impacts are communicated to the Company’s overall enterprise risk management program. We believe our Chief Information Security Officer, who has over 20 years of experience managing information technology and cybersecurity matters, has the appropriate knowledge, experience and expertise to effectively manage our cybersecurity program. The Board of Directors has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives regular updates on cybersecurity and information technology matters and related risk exposures from our Chief Information Security Officer as well as other members of the senior leadership team. The Board also receives periodic updates from management and the Audit Committee on cybersecurity risks. As of December 31, 2023, the Company had not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but there can be no assurance that any such risk will not materially affect the Company in the future, especially in light of the continuing efforts of sophisticated hackers to develop new means, and more effective versions of existing means, accessing and fraudulently exploiting companies’ computer and network systems and communications systems. For further information about the cybersecurity risks we face, and potential impacts, see Part I, Item 1A, “Risk Factors.” 26 April 2024 Email Spoofing Incident. At 10:25 p.m., local Hong Kong SAR time, on April 9, 2024, the Company received information that indicated a possible email spoofing incident involving a wire transfer payment of accounting fees owed to the Company’s public auditor. By April 11, 2024, the Company verified that the Company had wired $30,825 as an intended payment of accounting fees owed to the public auditor to a third-party bank account on March 27, 2024, as a result of email spoofing presenting an invoice under the identity of the public auditor. An internal incident report was distributed by the Company’s Chief Information Security Officer about this email spoofing incident to Company’s senior officers, finance department personnel, Audit Committee and the Board. Based on conversations with Company’s bank and local law enforcement, the Company does not believe that recovery of the $30,825 payment is possible. As a result of an internal review of this email spoofing incident involving the senior officers of the Company, the Company’s Chief Information Security Officer and Company’s Audit Committee, the Company adopted the following actions as of April 12, 2024: - Only verified email addresses allowed for incoming and outgoing emails by the Company email system; - Briefing company personnel about the incident and cybersecurity safeguard measures adopted; - Overall enterprise information security risk management assessment, overseen by our Chief Information Security Officer, to determine any additional safeguards, both technology based and internal processes, for email spoofing and related cybersecurity risks; and - Established regular cybersecurity and information technology matters and related risk exposure reports and briefings of Audit Committee. The Company does not believe the April 2024 email spoofing incident was “material” due to the limited amount of money involved and the corrective measures adopted to prevent future incidents of a similar nature. The Company identified another email spoofing effort in May 2014 by a scammer pretending to be one of the Company’s subsidiaries and asking an existing customer for payment owed to the subsidiary to be sent to the scammer’s bank account. This effort was detected by the Company and the customer and no money was sent to the scammer’s bank account. Company or its legal counsel filed reports of these incidents with appropriate regulatory and enforcement agencies in the appropriate jurisdictions.
Company Information
Name | Value Exchange International, Inc. |
CIK | 0001417664 |
SIC Description | Services-Miscellaneous Business Services |
Ticker | VEII - OTC |
Website | |
Category | Non-accelerated filer Smaller reporting company |
Fiscal Year End | December 30 |