Cronos Group Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Cronos Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:16:09 EST.

Filings

10-K filed on 2024-02-29

Cronos Group Inc. filed an 10-K at 2024-02-29 16:16:09 EST
Accession Number: 0001656472-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Our cybersecurity processes include: Basic security awareness online training for personnel with company email, on an annual basis; Phishing tests for personnel with company email, on not less than an annual basis; Reviews of certain third-party vendors information security programs (as discussed below); Consultation with external advisors regarding opportunities and enhancements to strengthen our practices and policies, on an ad hoc basis; Electronic monitoring of the majority of our technology environments to identify cybersecurity events; Periodic assessments of existing technology hardware configurations, patches, security and lifecycle; Periodic assessments, in consultation with software providers, of existing software versions, configurations, patches and updates; and Periodic assessments of data management and handling, including data use and access reviews. Certain information technology general controls are reviewed and tested as part of our internal control over financial reporting. We use third-party services to assist with penetration testing, security incident monitoring, incident response preparation, end point protection, and security awareness online training. Before engaging third-party service providers to whom we grant access to our information technology systems, we may review their information security programs, depending on the feasibility of such review and our assessment of the level of risk the third-party service provider poses to our business operations and our information technology and financial reporting systems. We determine risk level based on a set of internally developed criteria. We do not, however, review the information security programs of all third-party vendors. Where feasible, we also conduct periodic reviews (typically annual) of certain third-party service providers, particularly 48 T able of Contents service providers of financial, financial reporting and accounting systems, depending on our assessment of the level of risk to our business operations and our information technology and financial reporting systems. To date, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a materially adverse effect on our business, including our business strategy, results of operations and financial condition. However, there can be no assurance that our processes and procedures will prevent or timely detect a cybersecurity incident. For more information regarding risks from cybersecurity threats, see the section entitled Risk Factors Risks Relating to Our Products Risks Relating to Production and Distribution of Products . In fiscal year 2024, as part of our overall enterprise risk management process, our Board received a report on our program for assessing, monitoring and mitigating cybersecurity risks and has delegated oversight of such program to our Audit Committee. Going forward, the Audit Committee will receive periodic reports on our program for assessing, monitoring and mitigating cybersecurity risks. In addition, as part of its overall responsibility for overseeing the adequacy of the Company s internal control over financial reporting, our Audit Committee receives periodic reports about our financial reporting information system controls and security. Our Information Systems department, in addition to managing our general information technology systems, is also responsible for managing our enterprise-wide cybersecurity processes. Personnel in our Information System department collectively have decades of experience in information security, information technology and cybersecurity operations. Our Information Systems department monitors, and receives notifications of, potential cybersecurity incidents detected through automated detection and monitoring tools. In the event we discover a material cybersecurity incident, Information Systems personnel reports such incident to our Chief Financial Officer, who then reports to our Chief Executive Officer and the Audit Committee, as appropriate. We do not currently have a Chief Information Security Officer or other senior security officer of a similar title.

Company Information