Crimson Wine Group, Ltd 10-K Cybersecurity GRC - 2024-03-19

Page last updated on April 11, 2024

Crimson Wine Group, Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-19 16:02:26 EDT.

Filings

10-K filed on 2024-03-19

Crimson Wine Group, Ltd filed an 10-K at 2024-03-19 16:02:26 EDT
Accession Number: 0001562151-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company has a structured risk management process for identifying, reviewing, and assessing material risks from cybersecurity threats. These processes are included in the Company s overall risk management process, which is overseen by the Audit Committee of the Company s Board of Directors. As part of the cybersecurity risk management process the Company uses various methods to monitor and evaluate its threat environment and its risk profile. These methods include using manual and automated tools such as vulnerability scanning software monitoring current and emerging cybersecurity threats studying reports of threats and threat actors performing scans of the threat environment assessing our industry s risk profile conducting internal and external audits and assessments and carrying out threat and vulnerability assessments. To manage and mitigate material risks from cybersecurity threats to our information systems and data, the Company implements and maintains a variety of technical, physical, procedural, and organizational measures. These measures include access controls for networks, devices, and applications firewalls and antivirus/antimalware software management of network and user device configurations encryption of data monitoring of networks, devices, applications, and accounts penetration testing asset management procedures risk assessments incident detection and response plans vulnerability management processes business continuity and disaster recovery plans internal IT controls and employee cybersecurity awareness training. The cybersecurity risk management process also includes the evaluation of risks from cybersecurity threats associated with the use of third-party service providers, such as vendors engaged by the Company to provide the IT systems used in its operations. As a part of the overall risk management process, the Company evaluates new vendors for security risks before onboarding and regularly monitors third-party vendor performance to identify potential cybersecurity risks. The Company periodically engages with third-party consultants, legal advisors, and audit firms in evaluating and testing the Company s risk management processes. The Company continues to invest in cybersecurity and the resiliency of its networks and to enhance its processes and procedures, which are designed to help protect its systems and infrastructure, and the information they contain. For example, the Company is in the process of further developing its cybersecurity incident response processes and procedures to enhance its ability to identify, assess, and respond to potential cybersecurity threats. Although the Company faces cybersecurity risks in connection with its business, as of the date of this Report, such risks, including as a result of any previous cybersecurity incidents, have not materially affected (and are not reasonably likely to materially affect) the Company, including its business strategy, results of operations or financial condition. However, we can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations or financial condition. Governance Board of Directors The Audit Committee of the Company s Board of Directors oversees the effectiveness of the Company s internal controls, including controls designed to identify, mitigate, and assess potentially material cybersecurity threats and incidents. The Audit Committee is informed of the status of the cybersecurity risk management processes by management during regular Audit Committee meetings. Reports from management include existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status on key information security initiatives. Management The Company s IT department, under the direction of its Chief Financial Officer, is responsible for the assessment and management of material cybersecurity risks. The IT department has over 70 years of combined work experience in information technology, including security, auditing, compliance, systems, and programming. The IT department is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of and participation in the cybersecurity risk management process described above, and regularly reports to the Audit Committee. 18 Table of Contents

Company Information