EXP OldCo Winddown, Inc. 10-K Cybersecurity GRC - 2024-12-30

Page last updated on December 31, 2024

EXP OldCo Winddown, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-30 20:17:38 EST.

Filings

10-K filed on 2024-12-30

EXP OldCo Winddown, Inc. filed a 10-K at 2024-12-30 20:17:38 EST
Accession Number: 0001483510-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Except as otherwise specifically stated therein, the description of the Company’s cybersecurity risk management program set forth is as of February 3, 2024 (the last day of the Company’s 2023 fiscal year), which was prior to the completion of the Sale Transaction. Although our Board of Directors (the “Board”) still oversees cybersecurity risks, due to limited resources and personnel following the Sale Transaction, we currently no longer have in place the cybersecurity risk management program and governance structure described below, which may make us susceptible to heightened cybersecurity risks. RISK MANAGEMENT AND STRATEGY Cybersecurity risk management is an integral part of our enterprise risk management strategy, which is overseen by the Board. Cybersecurity is critical to maintaining the trust of our customers and business partners, and we are committed to protecting our and their confidential and sensitive information and to mitigating cybersecurity risks that impact our systems and networks. In order to respond to the threat of security breaches and cyberattacks, we have developed a program, overseen by our Chief Technology Officer, that is designed to assess, identify, and manage material risks from cybersecurity threats. Our information security program is focused on protecting and preserving the confidentiality, integrity and continued availability of all information owned by, or in the care of, the Company. This program includes an incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incident. We periodically conduct cross-functional tabletop training exercises to rehearse our response to cyber-related breach incidents or other major security events. We also mandate information security awareness training for all employees, along with testing employee readiness through phishing simulations and providing periodic security information updates. We regularly perform evaluations of our information security program and continue to invest in our capabilities to keep our customers, partners, suppliers and information assets in our possession safe. Although we employ service provider due diligence and onboarding procedures to identify potential cybersecurity risk, our ability to monitor the cybersecurity practices of our service providers is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information system, software, networks and other assets owned or controlled by our vendors. GOVERNANCE The Board oversees our information security program. The Audit Committee of the Board (the “Audit Committee”), which is tasked with oversight of certain risk issues, including cybersecurity, receives reports from the Chief Technology Officer throughout the year. The Board and the Audit Committee also receive updates about the results of readiness assessments led by outside advisors who provide a third-party independent assessment of our technical program and our internal response preparedness. The Audit Committee regularly briefs the full Board on these matters, and the full Board also receives periodic briefings on cybersecurity threats to enhance our directors’ literacy on security issues. EXP OldCo Winddown, Inc. | 2023 FORM 10-K | Our Chief Technology Officer is responsible for developing and executing our information security program. The Chief Technology Officer partners with key corporate functions for the purpose of identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risks are monitored, implementing appropriate mitigation measures, reporting cybersecurity breaches and other information security incidents, and maintaining our information security program. The Chief Technology Officer has more than a decade of information technology leadership experience, including responsibility for cybersecurity matters. Our information security team, reporting to the Chief Technology Officer, have appropriate cybersecurity experience and education, including CISSP and CompTIA certifications. Our management team receives regular updates on our cybersecurity posture and reviews detailed information about our cybersecurity preparedness. At least quarterly, management provides the Board and the Audit Committee with updates about our cybersecurity and related risk exposures, our policies and procedures to mitigate such exposures and the status of projects to strengthen our information security infrastructure and program maturity and defend against and respond to cybersecurity threats.

Company Information