Karat Packaging Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Karat Packaging Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 15:56:55 EDT.

Filings

10-K filed on 2024-03-15

Karat Packaging Inc. filed an 10-K at 2024-03-15 15:56:55 EDT
Accession Number: 0001628280-24-011444

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk management is a critical part of our overall risk management efforts. We have adopted security-control principles based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and other industry-recognized standards, as applicable. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use these principles as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity strategy prioritizes detection, analysis, and response to known, anticipated or unexpected threats. We implement and continue to update risk-based controls to protect key information and systems. Some of the controls and processes in place to manage risks from cybersecurity threats include monitoring systems, enforcement mechanisms, employee training, tools and related services from third-party providers, and management oversight. Our cybersecurity risk management program in particular focuses on the following key areas: 29 Risk Assessment At least annually, we conduct a cybersecurity risk assessment to identify the inherent cyber security risks and threats to which we are exposed to, evaluate maturity and effectiveness of our systems and processes in addressing such identified risks and threats, and to identify any areas for further enhancements. Our cybersecurity risk assessment considers information from internal stakeholders, known and potential information security vulnerabilities, and data from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on prioritization of initiatives to enhance our security controls, make recommendations to senior management, and if necessary, but at least annually, inform the Audit Committee and Board of Directors. Incident Response and Recovery Planning We maintain an incident response and recovery plan (the “IRR Plan”) that guides our activities in preparing for, detecting, responding to, and recovering from cybersecurity incidents. The IRR Plan identifies the working group responsible for the prevention, detection, mitigation and remediation of cybersecurity incidents. The IRR Plan also covers the range of activities we undertake in connection with responding to cybersecurity incidents, including monitoring, identification, investigation, assessment, containment, remediation, and mitigation, as well as compliance with legal obligations including any necessary regulatory reporting. Incidents are evaluated, ranked by severity, and prioritized for response, remediation and reporting, if needed. Collaboration We also engage third-party security consultants to assist with assessment and enhancement of our cybersecurity risk management program and compliance with applicable practices and standards. Should a cyber security incident occur in the future, we may engage third parties to assist us in responding to the incident as well as enhancing our cybersecurity risk management program, if necessary. The importance of cybersecurity is conveyed internally within the organization as well as externally. Within the organization, our cybersecurity efforts are led by our Information Technology (“IT”) Manager who is a Microsoft Certified Professional and holds CompTIA Network+ and Cisco Network certifications. We have also established an IT steering committee consisting of members from various key departments including IT, Finance, Operations, and Human Resources. The IT steering committee convenes at regular periodic intervals and reviews IT strategic and investment priorities, including the Company’s cybersecurity programs. Our policies also require each of our employees to contribute to our data security efforts. At least annually, employees are required to attend a mandatory training on how to recognize phishing attempts and how to best handle and report cybersecurity threats. In addition, we collaborate with third party software as a service providers and other service providers to maintain policies and procedures governing our third-party security risks. We evaluate and ensure such third parties maintain appropriate security controls to protect our confidential data, and notify us of material data breaches that may impact our data. Governance Cybersecurity is an important part of our risk management processes and an area of focus for senior management. Our Board of Directors has oversight of our strategic and business risk management, and has delegated cybersecurity risk management oversight to the Audit Committee. Members of the Audit Committee receive updates on an as-needed basis, but at least annually, from senior management. This includes existing and new cybersecurity risks, how management is assessing and addressing such risks, status on key information security initiatives, and cybersecurity incidents, if any, and responses. Members of our Board of Directors also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management program. In the event of a cybersecurity event, a cross-functional steering committee involving the IT, Finance, and Legal departments, would review and assess the incident and determine whether further escalation and regulatory reporting is required. Any incident assessed as potentially being or becoming material is immediately escalated to the Audit Committee, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate. We consult with our outside legal counsel as appropriate, including on materiality analysis and disclosure matters. Senior management makes the final materiality determination and disclosure decisions. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made in a timely manner. 30 In 2023, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. There can also be no guarantee that our policies and procedures under our cybersecurity risk management program will be properly followed in every instance or that those policies and procedures will be effective. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A “Risk Factors” for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Company Information