Compass Diversified Holdings 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Compass Diversified Holdings reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:32:11 EST.

Filings

10-K filed on 2024-02-28

Compass Diversified Holdings filed an 10-K at 2024-02-28 16:32:11 EST
Accession Number: 0001345126-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Cybersecurity risk management is overseen both as a critical component of our overall risk management program and as a standalone program. We have implemented a risk-based, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Our cybersecurity program is designed to leverage people, processes, and technology to identify and respond to cybersecurity threats. We also engage external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes. We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which may include risk assessments using applicable industry specific cybersecurity frameworks, control gap analyses, penetration testing, vulnerability scanning, cyber insurance that aligns with our subsidiaries’ risk profiles and internal or third-party assessments. We are committed to protecting the security and integrity of our systems, networks, databases and applications. We routinely invest to develop and implement cybersecurity programs and processes, including risk management and assessment programs, security and event monitoring capabilities, and prevention and protection capabilities. Our employees undergo annual security awareness training to enhance their understanding of cybersecurity threats and their ability to identify and escalate potential cybersecurity events. We regularly assess cybersecurity risks to identify and enumerate threats to us and vulnerabilities these threats can exploit to adversely impact our business operations. We also apply a risk-based approach to mitigate cybersecurity risks associated with our use of third-party service providers, including those in our supply chain that have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk process. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. Cybersecurity Governance Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity risks to the Audit Committee. The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full board of directors for consideration. Senior management regularly discusses cyber risks and trends and, if they should arise, will discuss any material incidents with the Audit Committee. Both the board of directors and the Audit Committee periodically review the measures we have implemented to identify and mitigate cybersecurity risks. As part of such reviews, our board of directors and Audit Committee receive periodic reports and presentations from members of the team responsible for overseeing cybersecurity risk management. These periodic reviews address various topics including evolving regulatory standards, recent developments, vulnerability assessments, third-party reviews, and other information security topics that senior management deems necessary. We have also established protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to the Audit Committee or the board of directors in a timely manner.

Company Information