Page last updated on February 27, 2025
Cronos Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 07:33:15 EST.
Filings
10-K filed on 2025-02-27
Cronos Group Inc. filed a 10-K at 2025-02-27 07:33:15 EST
Accession Number: 0001656472-25-000014
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY. Our cybersecurity processes include : - Basic security awareness online training for personnel with company email, at least annually; - Phishing tests for personnel with company email on a periodic basis; - Reviews of certain third-party vendors’ information security programs (as discussed below); - Consultation with external advisors regarding opportunities and enhancements to strengthen our practices and policies, on an ad hoc basis; - Electronic monitoring of the majority of our technology environments to identify cybersecurity events, including the use of a security information and event management system; - Periodic assessments of existing technology hardware configurations, patches, security and lifecycle; - Periodic assessments, in consultation with software providers, of existing software versions, configurations, patches and updates; and - Periodic assessments of data management and handling, including data use and access reviews. Certain information technology general controls are reviewed and tested as part of our internal control over financial reporting. We rely on third-party services for penetration testing, security incident monitoring, managing our enterprise-wide cybersecurity processes, incident response preparation, end point protection, and security awareness online training. Before engaging third-party service providers to whom we grant access to our information technology systems, we may review their information security programs, depending on the feasibility of such review and our assessment of the level of risk the third-party service provider poses to our business operations and our information technology and financial reporting systems. We determine risk level based on a set of internally developed criteria. We do not, however, review the information security programs of all third-party vendors. Where feasible, we also conduct periodic reviews (typically annual) of certain third-party service providers, particularly service providers of financial, financial reporting and accounting systems, depending on our assessment of the level of risk to our business operations and our information technology and financial reporting systems. To date, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a materially adverse effect on our business, including our business strategy, results of operations and financial condition. However, there can be no assurance that our processes and procedures will prevent or timely detect a cybersecurity incident. For more information regarding risks from cybersecurity threats, see " Risk Factors-Risks Relating to Our Products-Risks Relating to Production and Distribution of Products ." Our Board has delegated oversight of our program for assessing, monitoring and mitigating cybersecurity risks to our Audit Committee. Our Audit Committee receives periodic reports on our program for assessing, monitoring and mitigating cybersecurity risks. In addition, as part of its overall responsibility for overseeing the adequacy of the Company’s internal control over financial reporting, our Audit Committee receives periodic reports about our financial reporting information system controls and security. Our Information Systems department , in addition to managing our general information technology systems, is also responsible for managing our enterprise-wide cybersecurity processes. Our Information Systems department relies on a third-party managed security service provider (“MSSP”) to implement, manage and monitor our cybersecurity systems. Personnel in our Information Systems department, together with personnel at the MSSP, collectively have decades of experience in information security, information technology and cybersecurity operations. The MSSP monitors and receives notifications of potential cybersecurity incidents detected through automated detection and monitoring tools, which are communicated to personnel within our Information Systems department. In the event we discover a material cybersecurity incident, Information Systems personnel reports such incident to our Chief Strategy Officer, who then reports to our Chief Executive Officer and the Audit Committee, as appropriate. We do not currently have a permanent Chief Information Security Officer or other senior security officer of a similar title and rely significantly on the MSSP for management of enterprise-wide cybersecurity processes.
Company Information
| Name | Cronos Group Inc. |
| CIK | 0001656472 |
| SIC Description | Medicinal Chemicals & Botanical Products |
| Ticker | CRON - Nasdaq |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 30 |