BEYOND, INC. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

BEYOND, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:46:12 EST.

Filings

10-K filed on 2025-02-25

BEYOND, INC. filed a 10-K at 2025-02-25 16:46:12 EST
Accession Number: 0001130713-25-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our company recognizes the critical importance of cybersecurity in our digital operations and has established a risk management program to address both internal and external cybersecurity threats. This program, guided by industry frameworks like NIST CSF and overseen by experienced leadership teams, integrates advanced security tools and practices into our broader enterprise risk management system, actively involving our Executive team and Board of Directors (the “Board”) in its oversight. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use NIST CSF and similar frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Despite our efforts and resource allocation, we acknowledge the challenges posed by the evolving nature of cyber threats and the limitations in fully mitigating these risks. We have not observed any significant impacts from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected our operational results and strategic or financial condition. Criteria used to determine the materiality of an incident includes, but is not limited to, evaluating the scope, nature, type, systems, data, operational impact, and pervasiveness of the incident. Materiality also considers both quantitative and qualitative factors in determining impact. Nevertheless, given the unpredictable nature of cyber threats, we cannot assure that potential future impacts will not have a material impact. See “Risk Factors - If we or our third-party providers experience cyberattacks or data security incidents, there may be damage to our brand and reputation, material financial penalties, and legal liability, which would materially adversely affect our business, results of operations, and financial condition.” Key elements of our cybersecurity risk management program include, but are not limited to, the following: - risk assessments designed to help identify material risks from cybersecurity threats to our critical systems and information; - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes; - cybersecurity awareness training of our employees, including incident response personnel and senior management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile. Cybersecurity Governance Our Board of Directors oversees the organization’s preparedness for cyber threats as part of its risk oversight function. This involves working to understand our risk profile, reviewing our cybersecurity processes, and maintaining an incident response plan. The Board strives to engage in active participation in continuous cybersecurity strategy improvement. In March 2023, the Board enhanced its cybersecurity expertise with the addition of Joanna Burkey. Ms. Burkey has an extensive cybersecurity background and has served as Chief Information Security Officer (CISO) at both HP and Siemens. The Audit Committee, designated as the responsible body for risk management and compliance oversight, endeavors to ensures information flow of risk by regularly reporting its activities to the Board , including those related to cybersecurity. Our cybersecurity program is led by our Chief Information Security Officer (CISO) , who has over 20 years of experience in the cybersecurity field, and who is primarily responsible for assessing and managing material risks from cybersecurity threats. Their expertise is supported by industry certifications, regular participation in leading advanced training programs, and advisement roles. The CISO leads a dedicated team of security professionals who provide coverage of critical program capabilities. Our CISO and larger cybersecurity risk management team take steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private 28 sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment. Our CISO provides regular reports to the Audit and Technology Committees, senior management, and relevant stakeholders, for the purpose of keeping them informed on evolving cyber threats, ongoing assessments, and any significant findings. This collaborative approach is intended to support informed decision-making, and timely response to potential risks, safeguarding our critical assets and valuable information.

Company Information