Toughbuilt Industries, Inc 10-K Cybersecurity GRC - 2024-12-20

Page last updated on December 23, 2024

Toughbuilt Industries, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-20 21:37:14 EST.

Filings

10-K filed on 2024-12-20

Toughbuilt Industries, Inc filed a 10-K at 2024-12-20 21:37:14 EST
Accession Number: 0001213900-24-111385

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, and violation of data privacy or security laws. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy, and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, internal IT Audits, IT security, governance, risk, and compliance reviews. To defend, detect, and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security (including our consumer products) and implement appropriate changes. We have implemented incident response and breach management processes. In the event of an incident, the Cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost, and potential for reputational harm, with support from external technical, legal and law enforcement support, as appropriate. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational, business, and privacy impact. We occasionally engage third parties and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. Our risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers when handling and/or processing our employee, business, or customer data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. Because we develop, process, store, and transmit large amounts of data, including confidential, classified, sensitive, proprietary, and business and personal information, failure to prevent or mitigate data loss, theft, misuse, unauthorized access, or other security breaches or vulnerabilities affecting our systems could: expose us or our customers to a risk of loss, disclosure, or misuse of such information; adversely affect our operating results; result in litigation, liability, or regulatory action (including under laws related to privacy, data use, data protection, data security, network security, and consumer protection); deter customers or sellers from using our products, and services; and otherwise harm our business and reputation. We use third-party technology and systems for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, and other functions. Although we have developed systems and processes that are designed to protect our data and prevent such incidents, including systems and processes designed to reduce the impact of a security breach at a third-party vendor or customer, such measures cannot provide absolute security and may fail to operate as intended or be circumvented. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates every quarter from senior management, including leaders from our Information Security, Product Security, Compliance, and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, the status of how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and the status of key information security initiatives. Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Technology, Information Security, Product Security, Compliance, and Legal teams. Such individuals have extensive prior work experience in various roles involving information technology, including security, auditing, compliance, systems, and programming. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee. The Company acknowledges the increasing importance of cybersecurity in today’s digital and interconnected world. Cybersecurity threats pose significant risks to the integrity of our systems and data, potentially impacting our business operations, financial condition, and reputation. 25 As a smaller reporting company, we currently do not have formalized cybersecurity measures, a dedicated cybersecurity team, or specific protocols to manage cybersecurity risks. Our approach to cybersecurity is in the developmental stage, and we have not yet conducted comprehensive risk assessments, established an incident response plan, or engaged with external cybersecurity consultants for assessments or services. Given our current stage of cybersecurity development, we have not experienced any significant cybersecurity incidents to date. However, we recognize that the absence of a formalized cybersecurity framework may leave us vulnerable to cyber-attacks, data breaches, and other cybersecurity incidents. Such events could potentially lead to unauthorized access to, or disclosure of, sensitive information, disrupt our business operations, result in regulatory fines or litigation costs, and negatively impact our reputation among customers and partners. The Company is in the process of evaluating our cybersecurity needs and developing appropriate measures to enhance our cybersecurity posture. This includes considering the engagement of external cybersecurity experts to advise on best practices, conducting vulnerability assessments, and developing an incident response strategy. Our goal is to establish a cybersecurity framework that is commensurate with our size, complexity, and the nature of our operations, thereby reducing our exposure to cybersecurity risks. Despite our efforts to improve our cybersecurity measures, there can be no assurance that our initiatives will fully mitigate the risks posed by cyber threats. The landscape of cybersecurity risks is constantly evolving, and the Company will continue to assess and update our cybersecurity measures in response to emerging threats. For a discussion of potential cybersecurity risks affecting the Company, please refer to Item 1A - Risk Factors - Risks Related to IT in this report.

Company Information