cbdMD, Inc. 10-K Cybersecurity GRC - 2024-12-18

Page last updated on December 18, 2024

cbdMD, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-18 16:05:56 EST.

Filings

10-K filed on 2024-12-18

cbdMD, Inc. filed a 10-K at 2024-12-18 16:05:56 EST
Accession Number: 0001437749-24-037840

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C . CYBERSECURITY Like all companies that utilize technology, we are subject to threats of breaches of our technology systems. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management. Our IT department and our management actively oversee our risk management program, including the management of cybersecurity risks. We have contracted with cybersecurity and risk assessment experts to help test our systems and guide the ongoing development of best practices policies. We have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats, including those discussed in our Risk Factors. We have devoted resources to implement and maintain security measures to meet regulatory requirements and shareholder expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure. While there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective, we believe that our company’s sustained investment in these efforts and technologies have put the Company in a position to protect against potential compromises, and we do not believe that risks from prior cybersecurity threats have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that past or future attacks will not materially affect us, including our business strategy, results of operations, or financial condition. Risk management and strategy . We employ a multi-layered cybersecurity defense strategy that includes: ● Network and endpoint protection: Utilizing firewalls, intrusion detection systems, antivirus software, and advanced encryption protocols to safeguard sensitive data and systems. ● Multi-factor authentication, security and principle of least privileged (PoLP) ● Employee training and awareness programs: Educating employees on cybersecurity best practices and conducting phishing simulations to promote vigilance against social engineering attacks. ● Incident detection and response plans: Maintaining real-time monitoring and implementing a structured incident response plan that allows us to quickly detect, respond to, and recover from cyber incidents. ● Third-party risk management: Vetting the cybersecurity controls of vendors and partners to ensure that their practices align with our standards for protecting sensitive information. ● While we have not experienced a cybersecurity incident that has had a material impact to date, the threat of potential incidents remains high. We continually evaluate our exposure to risks such as: ○ Operational disruption from ransomware or other cyberattacks. ○ Data breaches that could compromise customer or proprietary information. ○ Regulatory and legal exposure arising from cybersecurity failures. As part of our risk management framework, we regularly assess whether any cybersecurity incidents, or the likelihood of such incidents, could materially affect our business. We are also committed to continuous improvements to address emerging threats. Governance. Our board of directors plays an active role in overseeing the company’s approach to managing cybersecurity risks. The board receives regular updates from senior management regarding the company’s cybersecurity strategy, potential risks, and any incidents that may arise. These updates ensure that the board remains informed and able to provide guidance on cybersecurity matters. The board is also regularly briefed by management on the Company’s cybersecurity policies, risk assessments, and mitigation strategies. This reporting structure allows the board to remain engaged with the company’s efforts to address and manage evolving cyber threats, ensuring that cybersecurity is aligned with our overall risk management framework. Management, led by the IT department, plays a critical role in assessing and managing material risks related to cybersecurity. This includes implementing day-to-day cybersecurity measures, conducting regular risk assessments, and ensuring the timely response to any cyber threats or incidents. The IT department is responsible for ensuring that cybersecurity is integrated into our company’s broader risk management strategy, with direct reporting lines to both senior executives and the board of directors.

Company Information