IMAX CORP 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

IMAX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 17:01:16 EST.

Filings

10-K filed on 2024-02-27

IMAX CORP filed an 10-K at 2024-02-27 17:01:16 EST
Accession Number: 0000950170-24-021327

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview The Company is not aware of any cybersecurity threats or incidents to date that have materially affected its strategy, results of operations, or financial condition. However, the scope and impact of any future cybersecurity incident cannot be predicted with certainty. More information on how material cybersecurity attacks may impact the Company s business is provided in Item 1A. Risk Factors . Cybersecurity Risk Management Framework The Company employs a multi-faceted cybersecurity risk management framework, which is integrated into its enterprise risk management system. The Company aligns its security policies and practices with the ISO 27001 framework and manages its cybersecurity risks through a dedicated information security team, reporting to Mr. Preston. The information security team is tasked with, among other things, assessing, identifying and managing material cybersecurity risks and overseeing the implementation of the Company s cybersecurity strategy. The Company s cybersecurity risk management includes, but is not limited to, the following elements. Risk Identification and Assessment: o The team conducts periodic risk assessments, which includes penetration testing and vulnerability scanning, on the Company s Information Technology (IT) infrastructure, systems, and networks to identify potential vulnerabilities, weaknesses, and risks, and evaluates the potential impact of cybersecurity risks on the Company s operations, financials, and business. Risk Mitigation Measures: o The team implements and maintains a multi-layered defense approach to safeguard the Company s information technology infrastructure in accordance with industry best practices and updates the Company s systems and software to address identified vulnerabilities. The Company has also developed an incident response and disaster recovery plan to respond to cybersecurity incidents. Vendor Risk Management: o The Company evaluates the risk profile of its third-party service providers and may include cybersecurity enhancement or compliance requirements in its service agreements, as needed. The information security team 31 periodically reviews key vendors and counterparties cybersecurity practices and may conduct audits or assessments at its discretion. In addition, the Company has established clear lines of communication with key stakeholders, including executives, IT teams, employees, and customers, to ensure transparency and an effective response to cybersecurity incidents. Furthermore, the information security team develops and provides cybersecurity awareness training to the Company s employees and regularly communicates updates on best cybersecurity practices and improvements in the cybersecurity program. The Company may use third-party programs and software and engage assessors, consultants, cybersecurity auditors, or other third parties to review, test, and advise on improvements to the Company s cybersecurity infrastructure. Role of the Board of Directors The Audit Committee oversees the Company s risk management and assessment, including its mitigation strategies, and updates the entire Board on the Company s risk profile and exposures on an as needed basis. With respect to cybersecurity, the Company s Chief Technology Officer ( CTO ) and Head of Information Security updates the Audit Committee on at least an annual basis on matters such as external cybersecurity threats and attack trends; updates to threat monitoring processes; the composition of the Company s information security team; cybersecurity awareness training and testing; cybersecurity strategy; cybersecurity metrics, and assessments the progress of cybersecurity programs; and the potential scope and impact of cybersecurity risks and incidents on the Company s operations and financial condition. The Audit Committee may also meet with management on an ad hoc basis to discuss and review any material cybersecurity incidents or threats. Role of Management Management is responsible for managing risks and informing the Board of the Company s material near- and long-term risks and risk management strategies. Management presents the Company s risk assessment, which includes its cybersecurity risks, to the Audit Committee on at least an annual basis. The Chief Technology Officer ( CTO ) leads management s assessment and management of cybersecurity risks. The Company s Head of Information Security leads the information security team, which is responsible for managing day-to-day cybersecurity risks and implementing and maintaining the Company s cybersecurity strategy. The Head of Information Security reports to and regularly briefs the CTO on cybersecurity matters, including results of vulnerability testing and remediation, cyber incident responses, and progress on cybersecurity infrastructure initiatives. The CTO and Head of Information Security update the Audit Committee about cybersecurity risks and any investigation of a material cybersecurity incident. The Company s current CTO has over 20 years of experience in senior technology leadership roles, involving oversight of all aspects of technology development and technical operations, including cybersecurity. The Company s current Head of Information Securities has over 20 years of experience in cybersecurity roles, including in cybersecurity engineering, information security assessment, and development and management of corporate security policies and governance problems. 32

Company Information