Clarus Corp 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Clarus Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:52:22 EST.

Filings

10-K filed on 2024-03-07

Clarus Corp filed an 10-K at 2024-03-07 16:52:22 EST
Accession Number: 0001558370-24-002739

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF and AI Risk Management Framework) and seek to follow industry best practices to identify, assess, and manage cybersecurity risks relevant to our business. We conduct annual risk assessments to identify cybersecurity threats to our critical systems, information, services, and our broader enterprise IT environment. These risk assessments include identifying reasonably foreseeable potential internal and external risks, the likelihood of occurrence and any potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, controls, and other safeguards in place to manage such risks. As part of our risk management process, we may engage third party experts to help identify and assess risks from cybersecurity threats. Our risk management and assessment process also encompasses cybersecurity risks associated with our use of third-party service providers. As part of our overall risk management and assessment program, we design, implement, and maintain reasonable safeguards to minimize potential risks, including cybersecurity risks; reasonably address any identified gaps in existing safeguards; update existing safeguards as necessary; and monitor the effectiveness of our safeguards. We also regularly provide cybersecurity awareness training to employees at all levels and departments across the Company. The Company believes that we have allocated adequate resources to address the cybersecurity threats that may reasonably affect us. Our cybersecurity team, consisting of the VP of Information Technology, Director of Information Security, and Director of Infrastructure, is principally responsible for managing our cybersecurity risk assessment processes, our security controls, mitigation process and our response to cybersecurity threats. The Company also participates in a cybersecurity risk insurance policy. For additional information regarding cybersecurity threats that may materially affect the Company, including our business strategy, results of operations, and financial condition, please refer to Item 1A. Risk Factors of this Annual Report on Form 10-K. Governance One of the functions of our Board of Directors is informed oversight of our risk management processes, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole and through its committees. In particular, the Audit Committee of our Board of Directors monitors and assesses our financial, legal and operational risks, and receives regular reports from the management team regarding comprehensive organizational risk as well as particular areas of concern, which includes, but is not limited to, cybersecurity risks, related mitigation, and other related responses and activities. Our management team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include, among other things, briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our IT environment. 32 Table of Contents

Company Information