CompoSecure, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

CompoSecure, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 15:56:28 EDT.

Filings

10-K filed on 2024-03-12

CompoSecure, Inc. filed an 10-K at 2024-03-12 15:56:28 EDT
Accession Number: 0001823144-24-000002

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Identifying, assessing, and managing material cybersecurity risks is an important component of our overall risk assessment and management program. Given our holding company structure, the management of cybersecurity risks involves coordination between the parent company and our subsidiaries, which are responsible for developing appropriate cybersecurity programs, including as may be required by applicable law or payment card industry (PCI) standards. We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. Our information security and data privacy programs are designed to protect the confidentiality of nonpublic, sensitive business and personal information, as well as the security of our information systems. Administrative and technical safeguards that seek to mitigate cybersecurity threats and secure the Company s information assets are addressed on a risk-based basis. We have designed our information security programs consistent with PCI standards using the National Institute of Standards and Technology Cybersecurity Framework, and other security standards. These programs also include processes designed to identify, mitigate and monitor cybersecurity risk relating to vendors and others who have access to our confidential information or our information systems. Among other things, these programs generally involve evaluations and assessments by third parties, vulnerability scanning, employee testing and training, threat exercises, incident response plans and data security assessments of third-party service providers as a part of vendor management. Cybersecurity threats may cause material disruptions to our subsidiaries operations, which may materially affect our results of operations and/or financial condition. For more information about these risks, see the risk factor titled Data and security breaches could compromise our systems and confidential information, cause reputational and financial damage, and increase risks of litigation, which could adversely affect our business, financial condition and results of operations. " and other discussions of risk factors under Item 1A “Risk Factors” in this report. Governance Our board of directors (the “Board”) oversees cybersecurity risks directly and through its Audit Committee. The Audit Committee oversees our overall risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats. Our Chief Information Officer (CIO) provides periodic updates on our cybersecurity risk profile to the Audit Committee and our board of directors. These updates are designed to enable the Audit Committee and the board of directors to assess the effectiveness of our cybersecurity program in the prevention, detection, mitigation, and remediation of cybersecurity incidents. In addition, the CIO undertakes the appropriate internal notifications of any such occurrence, and responsive activities, to the General Counsel, Chief Executive Officer, and Chief Financial Officer. Our cybersecurity threat risk action plan is managed by our CIO, who is also our Chief Information Security Officer (CISO). Our CIO/CISO is responsible for the establishment and maintenance of our cybersecurity program, as well as the assessment and management of cybersecurity risks. Our CIO/CISO has more than 25 years of technology industry leadership, cybersecurity expertise and engineering and operations experience. Our CIO/CISO leads the Information Security function, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for information technology security monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CIO/CISO. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CIO/CISO leads efforts to design, implement and operate controls deemed necessary, commensurate with 46 the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. To date, we do not believe that risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company. Please refer to Data and security breaches could compromise our systems and confidential information, cause reputational and financial damage, and increase risks of litigation, which could adversely affect our business, financial condition and results of operations. and other discussions of risk factors under Item 1A “Risk Factors” in this report. While we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks and data or those of our third party providers.

Company Information