DIRTT ENVIRONMENTAL SOLUTIONS LTD 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

DIRTT ENVIRONMENTAL SOLUTIONS LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 17:01:58 EST.

Filings

10-K filed on 2024-02-21

DIRTT ENVIRONMENTAL SOLUTIONS LTD filed an 10-K at 2024-02-21 17:01:58 EST
Accession Number: 0000950170-24-018049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The security of our information technology systems and Company data is important to our operations and reputation. Accordingly, we are committed to identifying and managing cybersecurity risks. Our Cybersecurity team performs periodic risk assessments and, on a quarterly basis, provides to our Enterprise Risk Management Committee ( ERM ) information related to the Company s cybersecurity, including statistics on attempted cyber-attacks, status of employee information security training awareness, and information on any security investigations. The Cybersecurity team advises the ERM of significant global cyber events that occurred during the quarter and whether they impacted DIRTT. The Cybersecurity team regularly discusses with the ERM the Company s cybersecurity posture and whether the Company should implement additional protections and controls to assist the Company in protecting, responding to, or mitigating potential future cyber-attacks. DIRTT has developed and implemented a cybersecurity risk management strategy which consists of 5 phases: Identify, Protect, Detect, Respond, and Recover. Each phase has multiple processes and technologies supporting those processes. Identify Identification processes at DIRTT include: system asset identification, threat identification, vulnerability identification and maintaining cybersecurity policies and standards. Protect Protection processes at DIRTT include: cyber awareness training, cyber awareness assessment (each employee is assigned a cybersecurity awareness grade calculated by a best in class cybersecurity vendor), implementation of identity and access controls, perimeter and endpoint security, annual vulnerability assessments and remediation, data encryption in transit, key vendor (third parties) control effectiveness assessment, and pre-implementation of software and systems cybersecurity assessments. Detect Detection processes at DIRTT include: automated event collection, collation, analysis, alerting and end user incident reporting. Respond Respond processes at DIRTT include: containment, communication, investigation and analysis, and long-term mitigation planning. Recover Recovery processes at DIRTT include: impact identification and analysis, system restoration, internal and external communications as deemed necessary. DIRTT engages external assessors annually for specific controls, to assess and provide assurance on the health of DIRTT s cybersecurity posture and controls. 25 DIRTT s Senior Vice President ( SVP ) of Technology, who reports to the CEO, is responsible for DIRTT s cybersecurity and has over 15 years of technology experience. The SVP of Technology is supported by dedicated Cybersecurity staff and Governance, Risk and Compliance ( GRC ) staff. DIRTT s cybersecurity team leader has over 20 years of experience in cybersecurity, multiple industry standard cybersecurity certifications, and extensive offensive and defensive cybersecurity tactical skills. DIRTT s GRC lead has over 20 years of GRC experience and industry standard certifications. Cybersecurity incidents, response and remediation activities and statuses are reported directly to the SVP of Technology. The ERM of the Board of Directors oversees risks resulting from cybersecurity threats. DIRTT s management, represented by the SVP of Technology, is responsible for identifying, assessing, and managing risks arising from cybersecurity threats. Quarterly, DIRTT’s SVP of Technology reports to the ERM on the health of DIRTT s cybersecurity, incidents, and emerging threats and vulnerabilities that may impact the Company. As of the date of this Annual Report, the Company has not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company s results of operations and/or financial condition. See Item 1A. Risk Factors for additional information about cybersecurity risk.

Company Information