ISSUER DIRECT CORP 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

ISSUER DIRECT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 17:25:13 EST.

Filings

10-K filed on 2024-03-07

ISSUER DIRECT CORP filed an 10-K at 2024-03-07 17:25:13 EST
Accession Number: 0001654954-24-002824

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Risk Management and Strategy We have implemented processes for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into the Company s overall risk management systems and processes. The Company regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection, and containment. The Company has other policies and procedures which directly or indirectly relate to cybersecurity, including those related to remote access monitoring, encryption standards, antivirus protection, multifactor authentication, confidential information, and the use of the internet, social media, email, and wireless devices. Our information technology security professionals who work closely with our Chief Technology Officer ( CTO ) who is responsible for the detection and initial assessment of cybersecurity threats and incidents (collectively, cyber incidents ), whether internal or experienced by significant third-party service providers, using, among other means, third-party software. The team classifies detected cyber incidents based on potential impact to the functionality of the affected systems, possible or known information involved, and recoverability effort. The classification of a cyber incident is designed to allow rapid prioritization, response, and escalation. The CTO and Chief Executive Officer ( CEO ) are alerted as to any detected cyber incident that is potentially significant. Incidents are documented for regular internal reporting processes including notations and considerations of related attacks. The CTO and CEO are required to engage the cybersecurity incident review if a cyber incident has materially affected, or is reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition. The CTO and CEO are responsible for performing a materiality assessment, and overseeing the public disclosure of material cybersecurity matters, as appropriate. We deploy quarterly cybersecurity training for employees and consider this a critical step in safeguarding the Company s data and assets. The training provides employees and contractors with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. The training techniques to strengthen our defensive stance against the increasing number and sophistication of cyberattacks worldwide and includes interactive modules covering various areas, including insider attacks, phishing and email attacks, preventing malware attacks, data protection, data handling, passwords, cloud and internet security, and cybersecurity fundamentals for mobile devices. Like other major corporations, we are the target of cyber-attacks from time to time. However, risks from previous cybersecurity incidents, have not materially affected, and are not reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. For additional information about risks related to cybersecurity, see If we fail to keep our customers information confidential or if we handle their information improperly, our business and reputation could be significantly and adversely affected in Item 1A. Risk Factors of this Annual Report. 22 Table of Contents Cybersecurity Governance Cybersecurity is a significant part of our risk management processes and an area of focus of our Board of Directors and management. Our CTO is primarily responsible for assessing and managing material risks from cybersecurity threats. Our CTO has six years of cybersecurity experience. The full Board is responsible for oversight of cybersecurity risk and receives regular reports from the CTO or CEO. Our CTO also present his assessment of material risks from cybersecurity threats to the Board at least annually. If a cyber incident is reported to the Board of Directors, our Incident Response Plan is triggered which involves a number of immediate actions be initiated. The impact, if any, of cyber incidents on internal control over financial reporting is discussed with the full Board. The independent members of the Board, through the Board s nominating procedures and requirements, considers cyber expertise in vetting nominees for the Board and recommending Board committee appointments, and the Board has determined that one of its independent Board members has cybersecurity expertise.

Company Information