PRICESMART INC 10-K Cybersecurity GRC - 2024-10-30

Page last updated on October 30, 2024

PRICESMART INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-30 16:04:49 EDT.

Filings

10-K filed on 2024-10-30

PRICESMART INC filed a 10-K at 2024-10-30 16:04:49 EDT
Accession Number: 0001041803-24-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy PriceSmart has developed, implemented, and maintained a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical technology systems, data and information. We have implemented processes and protocols designed to monitor, identify, mitigate and prevent material risks associated with cybersecurity threats and incidents relevant to internal networks, business applications, customer-facing applications, customer payment systems, and business operations. Cybersecurity represents an important component of our overall cross-functional approach to risk management. Our cybersecurity practices are integrated into the Company’s enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks identified for oversight by the Board through our annual ERM assessment. Our cybersecurity risk management program utilizes information and guidance derived from industry-recognized frameworks, including the International Organization for Standardization (ISO) 27001 Framework and the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (CSF), specifically the NIST 800-53 and NIST 811-171 publications. While we have based our cybersecurity risk management program on these frameworks, we have not obtained these specific certifications to date. Our cybersecurity risk management program is overseen by our Chief Information Officer (“CIO”) and/or our First Vice President of Information Security (“FVPIS”) and reviewed annually. Our cybersecurity risk management program includes but is not limited to the following: - risk assessments performed both internally and by external vendors to assist in the identification of material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise Information Technology (IT) environment; - contracting with and use of third-party service providers, where deemed necessary, to assess, test or otherwise assist with aspects of our security controls; - cybersecurity awareness training for our employees; - adoption of a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a risk management process for selecting and working with key service providers, suppliers, and vendors that takes into account our assessment of their criticality to our operations and their respective risk profiles. We continuously monitor, assess, and strategically invest to improve the effectiveness and resiliency of our information security systems to keep abreast of the dynamic and complex cybersecurity landscape. We use third-party vendors to review and test our IT systems and utilize our internal team of experienced personnel to evaluate and assess the efficacy of cybersecurity systems and to make recommendations and identify opportunities for improvements to our cybersecurity risk management program. We report the results of these assessments to our Audit Committee regularly and to our Board of Directors at least annually. In the event of a potential cybersecurity incident, or a series of related cybersecurity incidents, we have cybersecurity incident response frameworks in place. These frameworks are a set of coordinated procedures and tasks that our incident response teams execute with the goal of ensuring timely and accurate identification, resolution and reporting of cybersecurity incidents both internally and externally, as necessary. We regularly test and update these frameworks to ensure timely and accurate identification, resolution, and reporting of cybersecurity incidents. We have not identified and are not aware of any risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information about the cybersecurity risks we face, see “Item 1A - Risk Factors - Any failure by us to maintain the security of the information we hold relating to our Company, Members, employees and vendors, could damage our reputation with them, could disrupt our operations, could cause us to incur substantial additional costs and to become subject to litigation and could materially adversely affect our operating results.” Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Audit Committee receives quarterly reports from our CIO and/or our FVPIS regarding any significant cybersecurity incidents, as well as any incidents with lesser impact potential. The CIO and FVPIS report quarterly to the Audit Committee and Board regarding cybersecurity risks and the status of our cyber risk management program. Our CIO and/or FVPIS also periodically make presentations to Board members on cybersecurity topics as part of the Board’s continuing education on topics that impact our company. Our Cybersecurity team also provides reports to the Board’s Digital Transformation Committee. The Digital Transformation Committee is charged with oversight of the Company’s omni-channel development and digital transformation to enhance membership and stockholder value. In this capacity, the Digital Transformation Committee oversees the Company’s design and implementation of various IT systems, with emphasis on maintaining a secure digital environment. Our Cybersecurity team informs executive management about ongoing efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means. This may include briefings from internal security personnel; sharing publicly or privately available threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and forwarding alerts and reports produced by network monitoring and security tools we deploy. Our CIO and FVPIS collectively have over eight decades of IT and cybersecurity experience, including five decades in senior-level leadership roles. Our FVPIS spent over three decades in federal law enforcement working in cyber related roles.

Company Information