Trulieve Cannabis Corp. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Trulieve Cannabis Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 06:52:43 EST.

Filings

10-K filed on 2025-02-27

Trulieve Cannabis Corp. filed a 10-K at 2025-02-27 06:52:43 EST
Accession Number: 0001628280-25-008421

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Trulieve recognizes the critical importance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of the data we produce and collect. Managing Material Risks & Overall Risk Management We have a cross-departmental approach to addressing cybersecurity risk, including input from our employees, senior management, and the Audit Committee of our Board of Directors (the “Board”). We devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats promptly and effectively. We have a set of Company-wide cybersecurity policies and procedures and continue building these important document libraries. Management approves initial policies and reviews them periodically for updates and changes. Our cybersecurity program follows the internationally recognized risk framework, ISO 27001. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a multi-faceted cybersecurity strategy based on prevention, detection, and mitigation. The Company continues to work to ensure that our cybersecurity risks fully integrate into the Company’s overall risk management approach. Third-party Risk Management and oversight As part of our cybersecurity program, we engage with external service providers in our continuing cybersecurity efforts. These providers assist us in evaluating and enhancing the effectiveness of our information security policies and procedures. The partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity policies and procedures are comprehensive, up-to-date, and aligned with regulatory requirements. The use of these third-party providers is regularly reviewed and monitored by the appropriate members of management. We conduct thorough assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. Risks from Cybersecurity Threats We have not encountered cybersecurity challenges with a material impact on our strategic plan, operations, or financial standing. For additional information, see “Item 1A. Risk Factors - We are subject to security risks related to our products as well as our information and technology systems”. Governance Trulieve’s cybersecurity program is managed under the management purview of our Chief Technology Officer (" CTO “) and our Senior Director of Information Security, whose team (the “Cybersecurity Team”) is responsible for facilitating the enterprise-wide cybersecurity program. Our CTO has over 20 years of experience with large information technology footprints, including cybersecurity. His in-depth knowledge and expertise are instrumental in supporting our cybersecurity program and policies and overseeing our governance and compliance programs. The Information Security Governance Committee (“the IT Committee”) and the Audit Committee of our Board of Directors oversee management’s process for identifying and mitigating risks, including cybersecurity risks. The Audit Committee comprises board members with diverse expertise equipping them to oversee cybersecurity risks effectively. Management’s role in assessing and managing material risks from cybersecurity threats involves leadership, governance, resource allocation, and proactive risk management. Management’s involvement is crucial in safeguarding the Company’s digital assets, reputation, and long-term success. Our Cybersecurity Team provides periodic reports to our IT Committee and Audit Committee, our Chief Executive Officer, and other members of se nior management as appropriate. The IT and Audit committees actively participate in discussions with management regarding cybersecurity risks. The IT Committee and Audit Committee assess the Company’s cybersecurity program at least annually, including discussing management’s actions to identify and detect threats, and scenarios for potential response or recovery situations. In addition to regularly scheduled meetings, the IT and Audit Committee and appropriate senior management levels maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive.

Company Information