Solo Brands, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Solo Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:24:18 EDT.

Filings

10-K filed on 2024-03-14

Solo Brands, Inc. filed an 10-K at 2024-03-14 17:24:18 EDT
Accession Number: 0001870600-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company recognizes the importance of being able to assess, effectively respond to and manage material cybersecurity threats and incidents that may compromise the confidentiality, integrity or availability of its information systems, data or network resources. As part of its overall enterprise risk management framework, the Company maintains both an Information Security Committee ( ISC ) and an Incident Response Plan ( IRP ). The Company s ISC is managed by its Chief Information Officer (the CIO ) whose team (the Incident Response Team, or IRT ) is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture, and processes. The purpose of the IRP is to define procedures for reporting and responding to cybersecurity incidents. It creates objectives for actionable procedures that can be measured, evaluated, scaled and revised as necessary for each specific cybersecurity incident. These objectives are designed to maximize the effectiveness of the Company s response through an established plan of action and assigning responsibilities to appropriate personnel and/or third-party contractors. If a cybersecurity threat or incident is identified, the IRT will communicate the cybersecurity threat or incident and any damages to the CIO and other members of senior management of the Company. The Company will assess the materiality of the cybersecurity threat or incident to determine if any public disclosures are required under the SEC s cybersecurity disclosure rule. If deemed necessary, third-party consultants, legal counsel, and assessors will be engaged to evaluate the materiality assessment. The cybersecurity program of the Company interfaces with other functional areas within the Company, including but not limited to the Company s brands and information technology, accounting, finance, legal and human resources, as well as external third-party partners, where appropriate, to assess, identify and manage potential cybersecurity threats. The Company regularly assesses and updates its processes, procedures and management techniques in light of ongoing cybersecurity developments. Recognizing the complexity and evolving nature of cybersecurity threats, the Company also engages with a range of external experts, including cybersecurity assessors and consultants in evaluating and testing its cybersecurity management systems and IRP. These partnerships enable the Company to leverage specialized knowledge and insights, to assist in updating its cybersecurity strategies and processes to align with industry best practices. The Company s collaboration with these third parties includes consultation and review of security enhancements. To date, we have not identified risks from cybersecurity threats or incidents, including as a result of any previous cybersecurity incidents, that have materially affected the Company or are reasonably likely to materially affect our operations, business strategy, results of operations, of financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and there can be no assurance that 30 Table of Contents our cybersecurity risk management program and processes, including our IRP, and other preventative actions the Company has taken and continues to take to reduce the risk of cybersecurity threats and incidents and protect its systems and information, will be fully implemented, complied with or successful in protecting against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect the Company s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors Risks Related to our Business and Industry We rely significantly on the use of information technology, as well as those of our third-party service providers. Any significant failure, inadequacy, interruption or data security incident of our information technology systems, or those of our third-party service providers, could disrupt our business operations, which could have a material adverse effect on our business, prospects, results of operations, financial condition and/or cash flows. Governance Our Board considers cybersecurity risk as part of its risk oversight function. The Board oversees management s implementation of our cybersecurity risk management program. The Board receives regular reports from the ISC on our cybersecurity risks. In addition, ISC updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Board also receives briefings from ISC on our cyber risk management program. Board members receive presentations on cybersecurity topics from our CIO, internal security staff or external experts as part of the Board s continuing education on topics that impact public companies. The ISC, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our ISC s expertise includes a combined 20 plus years of experience in managing security technologies designing and implementing security strategies and risk management and incident response across various industries. Our ISC supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us and alerts and reports produced by security tools deployed in the IT environment.

Company Information