Natural Grocers by Vitamin Cottage, Inc. 10-K Cybersecurity GRC - 2024-12-12

Page last updated on December 12, 2024

Natural Grocers by Vitamin Cottage, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-12 16:15:43 EST.

Filings

10-K filed on 2024-12-12

Natural Grocers by Vitamin Cottage, Inc. filed a 10-K at 2024-12-12 16:15:43 EST
Accession Number: 0001437749-24-037351

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We rely on computer systems and information technology to conduct our business, including to securely transmit data associated with cashless payments. These systems and technology are increasingly complex and vital to our operations, which has resulted in an expansion of our technological presence and corresponding risk exposure. In addition, these systems are inherently vulnerable to disruption or failure, as well as internal and external security breaches, denial of service attacks and other disruptive problems caused by cybersecurity threat actors. We have not experienced any cybersecurity incidents that have materially impacted or are likely to materially impact our business strategy, results of operations or financial condition based on information known to us as of the date of this report. Under the oversight of our Board, our management has developed a cybersecurity risk management program based on the Center for Internet Security Critical Security Controls framework that is integrated with our overall risk management program and is designed to assess, identify, manage and mitigate material cybersecurity risks. Our cybersecurity program includes policies and procedures that govern how security measures and controls are implemented and maintained. We identify and implement security controls to address cybersecurity risks based on an annual risk assessment and our evaluation of relevant factors, including the likelihood of risk, the potential impact and severity of the risk, the feasibility and expense of potential controls, and the impact of controls on our operations. Our cybersecurity program includes regular security assessments and testing, regular employee trainings, third-party security audits, and solutions designed to detect and mitigate cybersecurity threats, including data breaches, malware, ransomware and phishing attacks. We utilize third party security firms and consultants to test our cybersecurity control environment and to provide certain security measures that we use to protect our information technology environment, including to detect and filter external phishing and malware threats, to provide enhanced endpoint protection and to protect our data through data classification. We have developed a third-party cybersecurity risk management process to conduct due diligence on external entities, including those that perform cybersecurity services. We have prepared a written incident response plan and crisis management plan to enhance our ability to respond to cybersecurity incidents. We periodically conduct internal tabletop exercises to enhance incident response preparedness. Our employees are required to participate in regular cybersecurity awareness trainings upon hiring and on a quarterly basis thereafter. Cybersecurity Governance Our Vice President of Information Technology (our VP of IT) has primary responsibility for monitoring, assessing and managing our material risks from cybersecurity threats. He oversees a dedicated information technology team that is responsible for managing enterprise-wide information security strategy, policy, standards, architecture and processes, and is regularly informed of, and monitors, the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. Our VP of IT has over 25 years of information technology experience, has earned a graduate degree in Cybersecurity and Information Assurance, and maintains relevant industry designations including Certified Information Systems Security Professional and Certified Information Security Manager certifications. Our Board considers cybersecurity risk as a part of its overall risk oversight function. Our Board receives reports from our VP of IT at least bi-annually, and on an as-needed basis, on cybersecurity risks and actions taken to mitigate those risks. These reports include updates on our cybersecurity risks and the emerging threat environment, and the status of projects designed to enhance our information security systems and programs.

Company Information