Karat Packaging Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

Karat Packaging Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:07:52 EDT.

Company Summary

Karat Packaging Inc. engages in the manufacture and distribution of single-use disposable products in plastic, paper, biopolymer-based, and other compostable forms used in various restaurant and foodservice settings.

Filings

10-K filed on 2025-03-14

Karat Packaging Inc. filed a 10-K at 2025-03-14 16:07:52 EDT
Accession Number: 0001628280-25-012816

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk management is a critical part of our overall risk management efforts. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our key systems and information. This program leverages the security-control principles outlined by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework 2.0 and other industry-recognized standards, as applicable. Our program prioritizes detection, analysis, and response to known, anticipated or unexpected threats. Some of the processes in place to manage risks from cybersecurity threats include identity and access management, logging and monitoring, penetration testing, vulnerability scanning, security monitoring, employee awareness training, and professional services from third-party providers. As cybersecurity threats evolve, we assess our program and make enhancements as needed to address emerging risks, adopt best practices, and strengthen our overall security posture. Our cybersecurity risk management program in particular focuses on the following key areas: Risk Assessment and Management At least annually, we conduct a cybersecurity risk assessment to identify key cybersecurity risks, assess the likelihood of the identified risks, and the potential business impact, and develop related mitigation and enhance plans. Our cyber risk management initiatives are integrated within the Company’s overall risk management process. The Company uses various techniques to identify cybersecurity risks, including but not limited to input from internal stakeholders, known and potential information security vulnerabilities identified through historical incidents and self-performed assessments, evaluations from third-party consultants, as well as external data including reported security incidents impacting other companies, and industry trends. The results of the assessment are used to drive alignment on prioritization of initiatives to enhance our security controls and measures, make recommendations to senior management, and if necessary, but at least annually, inform the Audit Committee and Board of Directors. Incident Response and Recovery Planning We maintain a comprehensive Incident Response and Recovery Plan (IRR Plan) designed to guide our preparation for, detection, response to, and recovery efforts in the event of cybersecurity incidents. The IRR Plan establishes clear roles and responsibilities for a cross-functional team (IR Team) tasked with handling cybersecurity incidents. The plan outlines a structured approach to managing incidents from the technical perspective, including monitoring, identification, investigation, assessment, containment, remediation, and mitigation. Additionally, the IRR Plan also addresses compliance with legal and reporting obligations, including any required notifications to affected parties, regulatory agencies, or the public, and reporting requirements with the SEC. Cybersecurity incidents are evaluated based on their severity, potential impact, and likelihood of escalation, and are prioritized for response, remediation, and disclosure as necessary. The IRR Plan is regularly reviewed and updated as necessary to incorporate improvements and enhance the organization’s overall incident response capabilities. Should a cybersecurity event occur, the IR Team would review and assess the incident and determine whether further escalation and regulatory reporting is required. Any incident assessed as potentially being or becoming material is immediately escalated to the Audit Committee, and meetings of the Audit Committee and/or full Board of Directors would be held, as required. We consult with our outside legal counsel as appropriate, including on materiality analysis and disclosure matters. Senior management makes the final materiality determination and disclosure decisions. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made in a timely manner. Collaboration We periodically engage third-party cybersecurity experts to assess and enhance our cybersecurity risk management program, and to ensure compliance with industry best practices and applicable standards. These partnerships enable us to stay ahead of evolving threats and implement robust strategies to protect critical systems and data in the event of cybersecurity incidents. 30 Internally, our cybersecurity initiatives are led by our Information Technology (“IT”) team headed by our experienced IT Manager , who is a Microsoft Certified Professional and holds certifications in CompTIA Network+ and Cisco Networking. During 2024, we also onboarded a Director of IT Research & Development with over 15 years of experience in IT, systems development, and cybersecurity frameworks, including senior roles at Fortune 500 companies. Both these IT leaders play a key role in driving strategies and solutions for system protection and incident management. We have also established an IT steering committee consisting of members from various key departments including IT, Finance, Operations, and Human Resources. The IT steering committee convenes regularly to review and align on IT strategic priorities, including the cybersecurity risk management program. This cross-functional approach ensures that cybersecurity efforts are integrated across the organization and that emerging risks are addressed proactively. In addition, we emphasize a company-wide culture of cybersecurity awareness. Employees are required to participate in mandatory training sessions at least annually, covering topics such as phishing recognition and threat response protocols. Other regular and ongoing security communications are also provided to reinforce these lessons and ensure that cybersecurity remains a priority at every level of the organization. Further, we work closely with third-party software as a service providers and other service partners to manage and mitigate security risks by implementing robust policies and procedures. Our process includes conducting thorough risk assessments during onboarding and requiring providers to maintain and implement strong security measures within their respective organizations. We mandate contractual obligations for timely notification of any material data breaches, enabling us to respond quickly to protect our data and operations. Governance Cybersecurity is an important part of our risk management processes and an area of focus for senior management. Our Board of Directors has oversight of our strategic and business risk management, and has delegated cybersecurity risk management oversight to the Audit Committee. Members of the Audit Committee receive updates on an as-needed basis, but at least annually, from senior management . This includes existing and new cybersecurity risks, how management is assessing and addressing such risks, status on key information security initiatives, and cybersecurity incidents, if any, and responses. Members of our Board of Directors also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management program. Impact of Cybersecurity Risks and Threats As of the date of this report, we are not aware of any cybersecurity threats or incidents that have materially affected our business, financial condition, results of operations or cash flows. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. There can also be no guarantee that our policies and procedures under our cybersecurity risk management program will be properly followed in every instance or that those policies and procedures will be effective. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A “Risk Factors” for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Company Information