PetIQ, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

PetIQ, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 08:57:09 EST.

Filings

10-K filed on 2024-02-29

PetIQ, Inc. filed an 10-K at 2024-02-29 08:57:09 EST
Accession Number: 0001628280-24-007822

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management & Strategy PetIQ has implemented and maintains various information security processes and systems designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, 29 Table of Contents communications systems, hardware and software, and our critical data, including confidential information that is proprietary, strategic, or competitive in nature ( Information Systems and Data ). Our cybersecurity function, led by our Cybersecurity Manager and supported by our Chief Information Officer ( CIO ) and third-party service providers, helps identify, assess, and manage the Company s cybersecurity threats and risks. This group identifies and assesses cybersecurity threats by monitoring and evaluating our threat environment using various methods including: using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of the threat environment, conducting internal and external cybersecurity audits, engaging third-party threat assessments, conducting vulnerability assessments, leveraging external intelligence feeds, and completing third-party red/blue team exercises and tabletop incident response exercises. Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards, practices and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including: incident management processes (for both internal and third-party hosted systems), maintaining certain security certifications, encryption of certain data, network security controls, access controls, physical security, asset management (such as tracking and disposal), systems monitoring, vendor risk management processes, employee training, penetration testing, dedicated cybersecurity staff, and cybersecurity insurance. We use third-party service providers to assist us to identify, assess, and manage material risks from cybersecurity threats, including threat intelligence service providers, cybersecurity software and managed cybersecurity providers, penetration testing firms, and forensic investigators. Further, we use third-party service providers to perform a variety of functions throughout our business, such as software-as-a-service providers and data/computing hosting companies. We have a vendor management program that, depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. This vendor management program includes a security questionnaire, reviews of security assessments, and vulnerability scans related to the vendor, as well as the imposition of contractual obligations related to cybersecurity. At PetIQ, cybersecurity is an overall company risk that is managed as a part of the Enterprise Risk Management Program which is updated and reviewed quarterly and is overseen by both senior management and the Board of Directors. For a description of the risks from cybersecurity threats that may materially affect PetIQ and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our information technology systems or those of third parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences. Governance PetIQ s Board of Directors is responsible for overseeing the Company s cybersecurity risks and threats. Specifically, the Audit Committee of the Board of Directors reviews the Company s cybersecurity status, risks, and threats periodically. Additionally, as needed, individual board members may reach out to Company management directly with cybersecurity questions or clarifications. PetIQ has implemented cybersecurity processes and procedures in coordination with cybersecurity risk mitigation tools and services designed to help prevent, detect, and eradicate cybersecurity incidents. The CIO, who has more than 30 years of IT experience, has overall accountability for cybersecurity. The Cybersecurity Manager reports to the CIO. The Cybersecurity manager, who has overall responsibility for assessing and managing cybersecurity risk as well as managing and monitoring the cybersecurity technology stack, has more than 20 years of IT experience and is an ANSI/EC-Council certified CISO. PetIQ s cybersecurity incident management processes include processes to assess the impact of an incident for reporting purposes, as well as escalation procedures for incidents (based on severity, risk, and impact) that can flow communications and decisions up through the CIO, Executive/Senior Leadership, and the Audit Committee of the Board of Directors as needed. 30 Table of Contents

Company Information