CHARLES & COLVARD LTD 10-K Cybersecurity GRC - 2025-04-03

Page last updated on April 4, 2025

CHARLES & COLVARD LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-03 16:45:54 EDT.

Filings

10-K filed on 2025-04-03

CHARLES & COLVARD LTD filed a 10-K at 2025-04-03 16:45:54 EDT
Accession Number: 0001140361-25-012058

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our business operations rely on the secure processing, storage, and transmission of certain confidential, sensitive, proprietary, and other information, as well as personal information about our customers and employees. Risk Management and Strategy We maintain a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated with our overall risk assessment process and has been embedded in our operating procedures, internal controls and information systems. The underlying controls of the cybersecurity risk management program are based on recognized best practices consistent with National Institute of Standards and Technology, or NIST and Cybersecurity Framework, or CSF . We have invested and continue to invest in risk management and information security and data privacy measures in order to protect our systems and data, including employee training, organizational investments, incident response plans, and technical defenses. The cost and operational consequences of implementing, maintaining, and enhancing data or system protection measures could increase significantly to overcome intense, complex, and sophisticated global cyber threats. We constantly monitor our cybersecurity environment and coordinate with third-party consultants to provide regular cybersecurity training and promote cybersecurity awareness across the organization. In addition, we and certain of our third-party vendors receive and store certain information associated with our sales operations and other aspects of our business. In connection with our e-commerce business, we rely on encryption and authentication technology licensed from third parties to effect secure transmission of confidential information. Our disclosure controls and procedures address cybersecurity and include elements intended to ensure that there is an analysis of potential disclosure obligations arising from security breaches. We also maintain compliance programs to address the potential applicability of restrictions against trading while in possession of material, nonpublic information generally and in connection with a cybersecurity breach. The breakdown in existing controls and procedures around our cybersecurity environment may prevent us from detecting, reporting or responding to cyber incidents in a timely manner and could have a material adverse effect on our financial position and value of our Company’s stock. Despite our implementation of security measures, our IT systems and e-commerce business are vulnerable to damages from computer viruses, natural disasters, unauthorized access, cyber-attack, and other similar disruptions. On or about June 28, 2023, we identified a cybersecurity incident that temporarily disrupted the Company’s IT network and resulted in some limited downtime for certain systems. Through investigation, we confirmed that this event was related to an apparent ransomware attack involving the unauthorized encryption of some of our files and the deployment of malware. This incident required us to temporarily implement manual processes to conduct our operations with as little disruption to production as possible. There were no payments made in this cybersecurity incident and no material impact on the operations of our business operating segments. We have not encountered any cybersecurity threats or incidents that have had a material impact on our business. We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. See “Risk Factors- Risks Related to our Operations - Our information technology, or IT, infrastructure, and our network has been and may be impacted by a cyber-attack or other security incident as a result of the rise of cybersecurity events .” Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function. The Board oversees management’s implementation of our cybersecurity risk management program. The Board receives periodic reports on our cybersecurity risks and processes from management. In addition, management updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Board also receives briefings from management on our risk management program, which includes our cybersecurity risk management. Presentations on cybersecurity topics are made as appropriate by our Chief Executive Officer. Our management team, including our Chief Executive Officer and Chief Financial Officer, whom are supported by our information technology consultant, are responsible for assessing and managing our material risks from cybersecurity threats. This team has primary responsibility for our overall cybersecurity risk management program and supervises our internal cybersecurity personnel. Our management team members have relevant experience in risk assessment and management, and our information technology consultant has over 25 years of IT and Cybersecurity experience. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from our third - party vendors; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment .

Company Information