Snap One Holdings Corp. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Snap One Holdings Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 18:46:28 EST.

Filings

10-K filed on 2024-03-07

Snap One Holdings Corp. filed an 10-K at 2024-03-07 18:46:28 EST
Accession Number: 0001856430-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Company s Senior Director of Cybersecurity and the Cybersecurity Core Team, supported by our Cybersecurity Leadership Team. Senior Director of Cybersecurity: Responsible for the day-to-day execution of our cybersecurity strategy, our Senior Director of Cybersecurity has a background with experience in information security and risk management. This person has over 28 years of IT and cybersecurity experience, with over 10 years specializing in digital forensics, incident response, and risk management, and holds a Management of Information Systems degree and Certified Information Systems Security Professional ( CISSP ) and Certified Information Security Manager ( CISM ) cybersecurity certifications. The Senior Director of Cybersecurity develops and implements policies, procedures, and controls to safeguard our information assets, and leads incident response efforts, ensuring a swift and effective response to potential cyber threats. Cybersecurity Core Team: Comprised of specialists in risk assessment, vulnerability management, and threat intelligence, the Cybersecurity Core Team focuses on identifying, evaluating, and mitigating cyber risks. Their backgrounds include various cybersecurity certifications including CISSP, CISM, Offensive Security Certified Professional ( OSCP ), Certified Information Systems Auditor ( CISA ), and Certified Cloud Security Professional ( CCSP ). This team conducts regular risk assessments, monitors the threat landscape, and collaborates with other departments to promptly address vulnerabilities. Cybersecurity Leadership Team: Comprised of leaders from various departments with a goal of providing high-level oversight and strategic direction for cybersecurity initiatives, the Cybersecurity Leadership Team strives to align cyber risk management with the overall business strategy and ensure resources are allocated appropriately. Members include employees from various operational perspectives and departments including IT, Finance, Legal, Product Development, Marketing, and People Management to foster a holistic approach to cybersecurity. Engage Third Parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, we engage with external consultants and auditors to assess and enhance our security posture. These third parties conduct periodic audits, vulnerability assessments, and provide recommendations to strengthen our overall cybersecurity framework. These partnerships enable us to leverage specialized knowledge and insights. Oversee Third-party Risk Because we are aware of the risks associated with third-party service providers, we endeavor to conduct due diligence of our third-party service providers before engagement and implement contractual protections designed to address potential risks and vulnerabilities. Risks from Cybersecurity Threats We are not aware of any specific cybersecurity incidents that individually or together materially affected our business in 2023, however we acknowledge that the current cyber environment means that we, like other companies in our industry, are under constant threat from hackers, terrorists and other cyber criminals that, if successful, could lead to data breaches, 46 unauthorized access to sensitive information, and other cyber threats that would be reasonably likely to materially affect our business strategy, financial condition, or results of operations. Board of Directors Oversight Management maintains a structured and systematic approach to reporting cybersecurity information to our Board. The audit and risk management committee (the audit committee ) of our Board has primary oversight over our cybersecurity program. The audit committee is comprised of independent directors with expertise in risk management, technology, finance, and cybersecurity. In addition, audit committee members also have experience with cybersecurity oversight from their membership on other public company boards. The audit committee meets periodically to review and assess the effectiveness of our cybersecurity program, incident response plans, and overall resilience against evolving threats. The audit committee also actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures cybersecurity considerations are integrated into Snap One s broader strategic objectives. Management s Role Managing Risk Quarterly briefings and formal updates are provided by members of management to the audit committee to maintain transparency and facilitate informed decision-making regarding cybersecurity investments and strategies. These reports encompass a broad range of cybersecurity topics, including: Current Policies: Updates on the Company s cybersecurity policies, procedures, and incident response plans; Threat Landscape Assessment: An overview of our current cybersecurity threat landscape, emerging trends, and potential risks; Incident Reporting: Details on any cybersecurity incidents, breaches, or threats, including the nature of the incident, response actions taken, and remediation plans. Investments and Initiatives: Updates on cybersecurity investments, initiatives, and projects to improve our overall cybersecurity posture; and Compliance and Regulatory Landscape: Insights into changes in cybersecurity regulations, compliance status, and efforts to align with industry best practices. In addition, the audit committee regularly engages with our Senior Director of Cybersecurity and other relevant stakeholders to stay informed about the evolving threat landscape. The frequency of these additional meetings and reports vary to align with the dynamic nature of cybersecurity threats and the need for timely decision-making. This ensures the highest levels of management are kept abreast of the potential cybersecurity risks, and significant cybersecurity matters, and that strategic risk management decisions are escalated to the Board, ensuring they have comprehensive oversight and can provide guidance on critical cybersecurity issues. In addition to meeting with the audit committee, the Senior Director of Cybersecurity and Cybersecurity Core Team conducts regular cybersecurity updates given to different groups of employees and management to promote awareness and accountability. These updates include risk assessments, tabletop exercises, incident response plans, and ongoing security initiatives. Further, recognizing employees critical role in cybersecurity, Snap One invests in training and awareness programs that empower employees to recognize and mitigate potential cyber risks, fostering a culture of cybersecurity throughout the organization. Monitor Cybersecurity Incidents Our program to manage and mitigate cybersecurity risks involves actively monitoring our systems for potential threats, including frequent reviews of threat-intelligence feeds, proactive security assessments, use of third-party software tools, and regular penetration tests to identify potential weaknesses. Our incident response plans are integral to our overall crisis management framework. In the event of a cybersecurity incident, our team follows an incident response plan that includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. 47 Reporting Structure: The escalation path for cyber incidents is determined by materiality. Minor cyber incidents are addressed immediately by the Cybersecurity Core Team. If the issue requires a cross-functional response, or there is any indication of business interruption, financial harm, data loss, significant system functionality loss, unreasonably delayed service provision or exposure of sensitive data (such as Personal Identifiable Information), the incident is escalated to the Cybersecurity Leadership Team to respond to the threat and perform an initial incident classification. If after further investigation, it is determined the incident could have a material impact on the business, the issue is escalated to the audit committee. Continuous Improvement We recognize the cybersecurity landscape is dynamic, and we strive to continuously refine our processes based on emerging threats and industry best practices. We conduct reviews of our cybersecurity risk management processes and make adjustments to adapt to the evolving threat landscape.

Company Information