Solo Brands, Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Solo Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 07:16:47 EDT.

Filings

10-K filed on 2025-03-12

Solo Brands, Inc. filed a 10-K at 2025-03-12 07:16:47 EDT
Accession Number: 0001870600-25-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company recognizes the importance of being able to assess, effectively respond to and manage material cybersecurity threats and incidents that may compromise the confidentiality, integrity or availability of its information systems, data or network resources. The Company has developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. The Company designs and assesses the program based on the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF. This means that the Company uses the NIST CSF as a guide to help it identify, assess, and manage cybersecurity risks relevant to our business. It does not, however, mean that the Company meets any technical standards, specifications, or requirements. As part of its overall risk management framework, the Company maintains an Information Security Oversight Committee (“ISOC”) which is responsible for overseeing company-wide cybersecurity strategy, architecture and policies. The Company’s ISOC is chaired by its Chief Information Security Officer (the “CISO”), who reports to our Chief Information Officer, who is also a member of ISOC. The Company has also established an Incident Response Team (“IRT”), which is a subset of the ISOC, and maintains an Incident Response Plan (“IRP”), the purpose of which is to respond to cybersecurity incidents. The IRT assesses the risks and impacts of cybersecurity incidents and creates and manages action plans for each specific cybersecurity incident. The IRP is designed to maximize the effectiveness of the Company’s response through an established plan of action and assigning responsibilities to appropriate personnel and/or third-party contractors. The IRP contemplates that if a cybersecurity threat or incident is identified, the IRT would communicate the cybersecurity threat or incident and any damages to the CISO and other members of senior management of the Company. The Company then would assess the materiality of the cybersecurity threat or incident to determine if any public disclosures are required under the SEC’s cybersecurity disclosure rule. If deemed necessary, third-party consultants, legal counsel and assessors would be engaged to evaluate the materiality assessment. The cybersecurity program of the Company interfaces with other functional areas within the Company, including but not limited to the Company’s brands and information technology, accounting, finance, legal and human resources, as well as external third-party partners, where appropriate, to assess, identify and manage potential cybersecurity threats. The Company aims to regularly assess and update its processes, procedures and management techniques in light of ongoing cybersecurity developments. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal IRT personnel; threat intelligence and other information obtained from governmental, public or private sources; and alerts and reports produced by security tools deployed in our internal IT environment Recognizing the complexity and evolving nature of cybersecurity threats, the Company also engages with a range of external experts, including cybersecurity assessors and consultants in evaluating and testing its cybersecurity management systems and IRP, including its use of third-party service providers. These partnerships enable the Company to leverage specialized knowledge and insights and to assist in updating its cybersecurity strategies and processes to align with industry best practices. The Company’s collaboration with these third parties includes consultation and review of security enhancements. To date, we have not identified risks from cybersecurity threats or incidents, including as a result of any previous cybersecurity incidents, that have materially affected the Company or are reasonably likely to materially affect our operations, business strategy, results of operations or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information on how cybersecurity risk could materially affect the Company’s business strategy, results of operations, or financial condition, please refer to “Item 1A Risk Factors-Risks Related to our Business and Industry-We rely significantly on the use of information technology, as well as those of our third-party service providers. Any significant failure, inadequacy, interruption or data security incident of our information technology systems, or those of our third-party service providers, could disrupt our business operations, which could have a material adverse effect on our business, prospects, results of operations, financial condition and/or cash flows.” Governance Our Board considers cybersecurity risk as part of its risk oversight function. The Board oversees management’s implementation of our cybersecurity risk management program. The Board receives periodic reports from the CISO on our cybersecurity risks. In addition, the CISO and ISOC members update the Board, where it deems appropriate, regarding any cybersecurity incidents it considers to be significant or potentially significant. The Board also receives briefings from the CISO and ISOC members on our cyber risk management program. Board members receive presentations on cybersecurity topics from our CISO, internal security staff, or external experts as part of the Board’s continuing education on topics that impact public companies. The ISOC , is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our ISOC’s expertise includes a combined 20 plus years of experience in managing security technologies; designing and implementing security strategies; and risk management and incident response across various industries. Our ISOC takes steps to stay informed about and monitor efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment . Mike Murray has served as our Chief Information Officer since April 2024. Mr. Murray brings with him a wealth of experience in technology leadership, including in the area of cybersecurity. Before joining the Company, Mr. Murray championed technology initiatives at The Container Store, overseeing critical areas such as IT governance, infrastructure, PMO, operations and support. Prior to The Container Store, he worked at Pier 1 Imports, Inc., which saw him in diverse senior leadership positions, notably as VP of Technology with a strategic focus on IT, Ecommerce, and Business Development.

Company Information