Canterbury Park Holding Corp 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Canterbury Park Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 13:26:01 EDT.

Filings

10-K filed on 2024-03-12

Canterbury Park Holding Corp filed an 10-K at 2024-03-12 13:26:01 EDT
Accession Number: 0001437749-24-007400

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY The Company maintains a governance structure to address cybersecurity risk, which involves the Board, the Audit Committee, the Company s Director of Information Technology, and a dedicated Incident Response Team. The Company utilizes a cross-functional, multilayered approach risk management to its cybersecurity to identify, prevent, and mitigate cybersecurity threats to the Company designed to preserve the confidentiality, security, and integrity of the Company s information and data. The Company conducts periodic tests to assess the Company s processes and procedures and the threat landscape. The Board and the Audit Committee receive regular presentations on cybersecurity-related topics ranging from the results of penetration testing, recent developments, evolving standards, the threat environment, technological trends, and information security considerations facing the Company and its peers. At least annually, the Board discusses the Company s approach to cybersecurity risk management with the Company s Director of Information Technology, and at least annually, or more frequently as necessary, the Company s Director of Information Technology meets with the Audit Committee to discuss cybersecurity risk management. The Company s security program and IT-related controls are regularly examined by internal auditors, external auditors, and various regulators. The Company’s Incident Response Team is led by our Director of Information Technology and also comprised of various cross-functional members of management. The team is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks and will present regular reports to the Audit Committee and the Board. The Board and the Audit Committee are also informed of any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. The Company maintains an operational Incident Response Plan ( IRP ) that defines how the Company handles cyber incidents, including escalation, reporting and remediation procedures. The IRP is reviewed annually both internally and by third parties during regular audits. In addition, the Company retains a third-party consultant with expertise in cyber risks and incidents to advise on cybersecurity related matters. The Company s consultant is also part of the Company s IRP procedures and provides independent analysis and advice during cybersecurity investigations. The Company also provides annual trainings for all employees designed to reinforce the Company s information technology risk and security management policies, standards and practices, as well as the expectation that all employees comply with these policies. These trainings are supplemented by Company-wide assessment initiatives, including periodic testing. The Company provides specialized security training for certain employee roles. The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Although we have designed our cybersecurity program and governance procedures above to mitigate cybersecurity risks, we face unknown and changing cybersecurity risks, threats and attacks. To date, these risks, threats or attacks have not had a material impact on our operations, business strategy, or financial results, but we cannot provide assurance that they will not have a material impact in the future. See the section entitled Risk Factors included elsewhere in this Annual Report for further information.

Company Information