Village Farms International, Inc. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

Village Farms International, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 07:08:39 EDT.

Filings

10-K filed on 2024-03-13

Village Farms International, Inc. filed an 10-K at 2024-03-13 07:08:39 EDT
Accession Number: 0000950170-24-030499

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY DISCLOSURES Risk Management and Strategy Management of cybersecurity risks is an integral part of our overall risk management framework and is essential for safeguarding our business and data. We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Following these risk assessments, we may accept identified risks re-design, implement, and maintain reasonable safeguards to minimize identified risks reasonably address any identified gaps in existing safeguards and regularly monitor the effectiveness of our safeguards. Our cybersecurity risk management program works to balance critical infrastructure, network, application, cloud and information security objectives with overall business objectives and risk tolerance. Specific controls that are used include endpoint threat detection and response, identity and access management, privileged access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, firewalls and intrusion detection and prevention, and vulnerability and patch management. We use both external and internal threat intelligence sources to inform our defensive measures, including information from industry vendors and government agencies. We monitor evolving risks and threat events to implement security controls where applicable. 40 We believe in continuous improvement as part of the effort to optimize security, and we work to foster that culture through various initiatives: Cybersecurity Awareness Trainings: We educate employees on best practices for online safety and for identifying potential cybersecurity threats, including by initiating training programs for our entire workforce. Security Monitoring: We monitor our information technology environment with both our internal cybersecurity resources and third-party service providers. Proactive Reporting and Investigation: As part of our training initiatives, we educate employees on how to report any suspicious cyber activity or potential cybersecurity issues, and we investigate reported concerns. We engage a variety of third-party service providers to process and store data, including certain customer information, some of which may include personally identifiable information. We also depend on third-party service providers to host many of the systems and infrastructure used to provide our products and services. A limited number of third-party services support essential functions of our business, including the use of cloud-based technology. Governance Our Board of Directors has overall oversight responsibility for our enterprise risk management program and delegates cybersecurity risk management oversight to the Audit Committee of the Board of Directors. The Audit Committee oversees major enterprise risks, and the steps management has taken to monitor and control such exposure, including risks to our information technology infrastructure and security. The Audit Committee is responsible for ensuring independent examination of management s programs to identify, assess, respond to and monitor risks, which include those performed by third party consultants. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are managed by a team of professionals who monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Our cybersecurity team includes personnel that have obtained credentials from the International System Security Certification Consortium and the SANS Institute, such as Certified Information Systems Security Professional (CISSP), as well as experienced information systems security professionals and information security managers. We recognize the ever-present global risk of cyberattacks from diverse threat actors, including nation-states, cybercriminals, hacktivists, insiders and organized crime. In spite of our efforts, we (or third parties we rely on) may not be able to fully, continuously and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement, but it is possible we may not implement appropriate controls if we do not recognize, or we underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. Further, even events that are detected by security tools or third parties may not always be immediately understood or acted upon. While no organization is immune to attack attempts and we cannot eliminate all risks from cybersecurity threats or provide assurance that we have not experienced an undetected cybersecurity incident, in 2023 we did not identify any material cybersecurity events that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For additional information regarding risks from cybersecurity threats, including our business strategy, results of operations, or financial condition, please refer to Item 1A, Risk Factors, in this annual report on Form 10-K, including the risk factor entitled We face risks related to cyber security attacks and other incidents. 41

Company Information