MEDIFAST INC 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

MEDIFAST INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:50:57 EST.

Filings

10-K filed on 2024-02-20

MEDIFAST INC filed an 10-K at 2024-02-20 16:50:57 EST
Accession Number: 0001628280-24-005620

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Overview Organizations across the globe are experiencing cybersecurity incidents at an increasing rate, and cybersecurity threats are increasingly sophisticated and constantly evolving. We have developed and maintained policies, procedures, and controls to mitigate material risks from cybersecurity threats, and assess and disclose information to investors concerning material cybersecurity incidents. These risks are evaluated on an ongoing basis as part of our overall risk management strategy. As discussed in more detail below, we have policies and procedures in place to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, train and raise awareness of cybersecurity threats amongst employees, detect intrusions into our systems, and respond to cybersecurity incidents. Despite these efforts, no system is impenetrable, and we cannot provide assurances that we will prevent every attack or detect every incident timely. Risk Management and Strategy We have established processes for assessing, identifying, and managing material risks from cybersecurity threats and have integrated these cybersecurity processes into our overall risk management system. Specifically, we have adopted a cybersecurity framework that, where appropriate, aligns with the NIST’s Cybersecurity Framework, and we have maintained systems that, where appropriate, are PCI compliant under current standards. We regularly review our Incident Response Plans to ensure readiness if and when an incident does occur, including through live testing via planned and surprise tabletop exercises. In the event of a cybersecurity incident, if a system does become non-operational, we maintain disaster recovery capabilities to return to normal operation in a timely manner. Our cybersecurity processes to assess and identify cybersecurity risks includes periodic risk assessments, deployment of security monitoring tools for continuous monitoring of our information systems, periodic testing for vulnerabilities in our systems, periodic testing of employees cybersecurity awareness, receiving cybersecurity alerts, among other procedures. Our Information Security ( IS ) department, which reports to the Vice President, Information Security, evaluates cybersecurity risks and works to design and ensure implementation of appropriate controls and safeguards in alignment with our business objectives and operational needs. Management periodically reviews cybersecurity risks as part of the overall risks to the company as part of the enterprise risk management program. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. We engage various third parties to assess, test, or assist with the implementation of our risk management strategies, policies, and procedures to enhance our detection and management of cybersecurity risks, including but not limited to: consultants who assist with assessing risks, assist with our PCI compliance assessments, assess our systems alignment with the NIST Cybersecurity Framework, and test and/or scan for vulnerabilities. We rely on software, hardware, and network systems, including cloud-based technology, that are either developed by us or licensed from or maintained by third parties to maintain operations. In the ordinary course of our business, we collect and utilize proprietary and customer information and data. We utilize systems designed to protect customer information and prevent fraudulent transactions and other security breaches. We rely on third-party software products to secure our credit card transactions. 28 Table of Contents Furthermore, we maintain a process to evaluate and manage risks associated with third-party service providers. We conduct cybersecurity assessments of our key vendors before engagement, maintain continued monitoring during the engagement, and maintain the ability to discontinue our engagement with a key vendor if their cybersecurity posture fails to meet pre-established standards. The Company, from time to time, experiences or is subject to a variety of incidents that arise during the ordinary course of its business. As of the date of this report and based upon the Company s experience, current information, and applicable laws, we do not believe that these incidents are material, or will have or have had a material adverse effect on business strategy, results of operations, or financial position. However, future cybersecurity incidents could materially affect our strategy, results of operations, or financial condition. See Item 1A. Risk Factors for additional information on how risks could materially affect the company. Governance The Board of Directors has responsibility for oversight and approval of our cybersecurity risk management processes, and the Board has established an oversight mechanism for cybersecurity risks. Senior executives provide the Board of Directors with quarterly updates concerning cybersecurity risks and the Company s cybersecurity strategies and objectives. In addition, members of management briefed on specific issues attend Board meetings to provide additional insight into the specific issues being discussed, including risk exposure. The Board works with our senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company s cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. If a significant cybersecurity incident occurs, it will be reported promptly to the Board near the time of discovery. The IS department is charged with monitoring risks, implementing controls, developing information security policies and procedures, and assessing cyber events. On a day-to-day basis, IS informs the Vice President, Information Security concerning cybersecurity risks and events, including any mitigation and remediation efforts. Our Vice President, Information Security joined the Company in September 2022, and is responsible for approving IS policies and procedures, implementing controls, monitoring and detection programs, and employee training on cybersecurity risks, and reports cybersecurity risks and strategies directly to executive leadership. He has over a decade of security experience, received his Master of Science in Computer Information and Information Systems Security/Information Assurance from Norwich University, and holds various certifications including Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP). Cybersecurity incidents are escalated to the cybersecurity incident response team (“CIRT”) who is responsible for overseeing our incident response strategy, including remediation. Significant cybersecurity incidents are escalated to the Company s Incident Response Materiality Assessment Committee ( IRMAC ) that assesses and evaluates whether the incident is material using criteria based on our enterprise risks. This committee is comprised of a cross-functional team that consists, in part, of employees at the management level and members of the executive team. As noted above, if a significant cybersecurity incident occurs, it will be reported promptly to the Board on an ad hoc and as-needed basis. Otherwise, management reports cybersecurity risks and developments to the Board quarterly.

Company Information