NATURES SUNSHINE PRODUCTS INC 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

NATURES SUNSHINE PRODUCTS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 17:11:14 EDT.

Filings

10-K filed on 2024-03-12

NATURES SUNSHINE PRODUCTS INC filed an 10-K at 2024-03-12 17:11:14 EDT
Accession Number: 0001628280-24-010625

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We regularly assess risks from cybersecurity threats monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. Our board of directors assesses risks based on probability and potential impact to key business systems and processes as part of our overall risk management program overseen by the by the Risk Management Committee of the Board of Directors. Our Data Breach Response Team performs annual cybersecurity tabletop incident response exercises, pursuant to our Data Breach Response Policy and Plan. Risks that are considered high are incorporated into our overall risk management program. We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We have also developed a third-party cybersecurity risk management process to conduct due diligence on external entities, including those that perform cybersecurity services. Cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations, or financial condition. See our risk factor Cyber security risks and the failure to maintain the integrity of company, employee or guest data could expose us to data loss, litigation and liability, and our reputation could be significantly harmed in Part I, Item 1A. Risk Factors for additional details regarding cybersecurity risks and potential impacts on our business. 19 Table of Contents Governance Our Board of Directors oversees our risk management process, including as it pertains to cybersecurity risks, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Our Executive Director of Information and Technology Services ( IT Director ), who reports to our Chief Financial Officer, is responsible for the operational oversight of company-wide cybersecurity strategy, policy, and standards across relevant departments to assess and help prepare us to address cybersecurity risks. Our IT Director has multiple university certifications in advanced cybersecurity with over 30 years experience in cybersecurity and technology roles, most of which have been held with the Company. Meetings of our Risk Management Committee and Board of Directors include discussions and presentations from management regarding specific risk areas throughout the year, including, among others, those relating to cybersecurity threats, and reports from management on our enterprise risk profile on an annual basis. The Board of Directors reviews our cybersecurity risk profile with management on a periodic basis using key performance and/or risk indicators. These key performance indicators are metrics and measurements designed to assess the effectiveness of our cybersecurity program in the prevention, detection, mitigation, and remediation of cybersecurity incidents. We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents.

Company Information