HG Holdings, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

HG Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 07:00:38 EDT.

Filings

10-K filed on 2025-03-27

HG Holdings, Inc. filed a 10-K at 2025-03-27 07:00:38 EDT
Accession Number: 0001437749-25-009465

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As part of our commitment to maintaining the integrity, confidentiality, and availability of our information assets, the Company places a significant emphasis on cybersecurity. The Company’s risk management program is designed to comply with laws and regulations applicable to cybersecurity. The Board is responsible for overseeing the Company’s risk management program and cybersecurity is a critical element of this program. The Company’s management, including its Director of Information Technology, is responsible for the day-to-day administration of the Company’s risk management program and its cybersecurity policies, processes, and practices. Our Director of Information Technology has served in similar roles in information technology and information security for over 20 years. He holds an undergraduate degree in Management Information Systems. Our strategies, policies, and initiatives aimed at protecting our systems and data against potential threats are outlined below. 1. Cybersecurity Governance: The Company has established a robust governance framework to oversee cybersecurity initiatives. This framework includes: ● Regular risk assessments by management, including our Director of Information Technology, and audits to identify vulnerabilities and areas for improvement. The Company performs annual financial and risk assessment audits aimed at identifying potential security threats. The Board has responsibility for oversight of potential threats relating to cybersecurity. In furtherance of such responsibility, the Director of Information Technology reports to the Board as needed on information about such threats, which may include the current cybersecurity threat landscape, defensibility measures implemented by the Company, the health of the Company’s information security system, and the effectiveness of the Company’s cybersecurity controls. ● Clear delineation of roles and responsibilities within the organization for cybersecurity-related tasks. 2. Cybersecurity Policies: The Company has implemented a comprehensive set of cybersecurity policies and procedures designed to mitigate risks and protect our information assets. These policies cover areas such as: ● Access control: Ensuring that access to sensitive systems and data is granted only to authorized personnel and regularly reviewed and updated. ● Incident response: Establishing procedures for responding to cybersecurity incidents in a timely and effective manner. This includes notifying appropriate stakeholders, conducting a thorough investigation, and implementing remediation measures to prevent future occurrences. ● Employee training: Providing ongoing cybersecurity awareness training to all employees to ensure they understand their role in protecting company assets. 3. Cybersecurity Compliance: The Company is committed to complying with all applicable cybersecurity regulations and standards. We regularly review our cybersecurity practices to ensure they align with industry best practices and regulatory requirements. Cybersecurity is a top priority for us and we are dedicated to continuously improving our cybersecurity posture to protect our systems and data from evolving threats. By implementing robust governance, policies, technologies, and compliance measures, we strive to maintain the trust and confidence of our stakeholders in our ability to safeguard their information. Pursuant to the Company’s cybersecurity policy, the Board will be promptly notified of any material cybersecurity incident required to be disclosed under Item 1.05 of Form 8 -K and shall oversee the Company’s response to such matter. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Item 1A. Risk Factors - Risks Related to the Company - Cybersecurity risks and cyber incidents may adversely affect our business in the event we or any other party that provides us with essential services experiences cyber incidents” in this Annual Report on Form 10-K.

Company Information