OneWater Marine Inc. 10-K Cybersecurity GRC - 2024-12-10

Page last updated on December 11, 2024

OneWater Marine Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-10 16:44:53 EST.

Filings

10-K filed on 2024-12-10

OneWater Marine Inc. filed a 10-K at 2024-12-10 16:44:53 EST
Accession Number: 0001772921-24-000101

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks We seek to assess, identify and manage cybersecurity risks through the processes described below: - Risk Assessment: A multi-layered system designed to protect and monitor data and cybersecurity risk has been implemented. Assessments of our cybersecurity safeguards are conducted by independent cybersecurity vendors. Our internal Information Systems team conducts regular evaluations designed to assess, identify and manage material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies, and education programs in response. We use firewalls and cyber security software protection, and we additionally rely on a third-party vendor for alerts regarding suspicious activity. - Incident Identification and Response: A monitoring and detection system has been implemented to help promptly identify cybersecurity incidents. In the event of any breach or cybersecurity incident, we have an incident response plan that is designed to provide for action to contain the incident, mitigate the impact, and restore normal operations efficiently. - Cybersecurity Training and Awareness: All employees and contractors are required to receive semi-annual cybersecurity awareness training. Employees also receive training in response to drills and simulated attacks. - Access Controls: Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. A multi-factor authentication process has been implemented for employees accessing company information. - Encryption and Data Protection: Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information, and other confidential data. We also have programs in place to monitor our retained data with the goal of identifying personal identifiable information and taking appropriate actions to secure the data. We incorporate external expertise and reviews as part of our cybersecurity program. For example, we have engaged an independent cybersecurity advisor to review, assess, and make recommendations regarding our information security program and information technology strategic plan. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, before engaging with any third-party service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to security standards and protocols. Further, we request that third-party service providers with access to personally identifiable information enter into data processing services agreements and adhere to our policies and standards. The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. Impact of Risks from Cybersecurity Threats As of the date of this report, though the Company and its third-party service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, financial condition, results of operations or cash flows. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology (“IT”) systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors’ Oversight and Management’s Role Through the Company’s enterprise risk management program, the Board of Directors is responsible for overseeing cybersecurity, information security, and information technology risks, as well as management’s actions to identify, assess, mitigate, and remediate those risks. As part of its program of regular risk oversight, the Audit Committee assists the Board in exercising oversight of the Company’s cybersecurity, information security, and information technology risks. The Board or Audit Committee regularly reviews and discusses with management the Company’s policies, procedures and practices with respect to cybersecurity, information security and information and operational technology, including related risks. In addition, the Company’s Director of Information Systems is responsible for upward reporting of emerging cybersecurity incidents. Recognizing the importance of cybersecurity to the success and resilience of our business, the Board considers cybersecurity to be a vital aspect of corporate governance. To facilitate effective oversight, our cybersecurity leadership team holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks. Our cybersecurity leadership team is made up of highly experienced professionals with a background in information security, risk management, and incident response. This background includes leading and developing cyber security operations and incident response programs for business organizations, developing comprehensive cyber security strategies, and managing complex cybersecurity projects across various industries.

Company Information