Grove Collaborative Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

Grove Collaborative Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 17:15:42 EDT.

Filings

10-K filed on 2024-03-20

Grove Collaborative Holdings, Inc. filed an 10-K at 2024-03-20 17:15:42 EDT
Accession Number: 0001628280-24-012257

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We invest in cybersecurity to protect intellectual property, customer data, manage reputational risk, and maintain business continuity across our devices, applications, and corporate networks. We strive to ensure ongoing compliance with the requirements under relevant standards including the Payment Card Industry Data Security Standards and relevant data privacy and protection laws and regulations. Additionally, our teams reference the standards, guidelines, and practices from the NIST Cybersecurity Framework (CSF) to align our cybersecurity program and risk management practices. The foundation of our cybersecurity framework is based on written policies that govern different cybersecurity process areas. Risks are identified through various processes that employees perform through their daily operations and are mitigated, managed and/or governed through these established processes. Identifying and assessing cybersecurity risk is part of our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a combination of third party assessments, IT security, governance, risk and compliance reviews, external audits and assessments, penetration tests, vulnerability scans, and recurring review from our internal cybersecurity working group. We respond to cybersecurity incidents and address identified cybersecurity risks through our internal cybersecurity working group and report any material findings and incidents to the audit committee of our board of directors. The cybersecurity incident response process is governed by our incident response plan and overseen by leaders from our IT security and legal teams. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact. We also conduct tabletop exercises annually, to simulate responses to cybersecurity incidents and ensure accuracy and continuous improvement of the incident response plan. Our team of cybersecurity professionals then collaborate with other stakeholders across our organization to further analyze the risk to the Company and form detection, mitigation and remediation strategies. Table of Content s We are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. Leveraging our cybersecurity risk management processes, cybersecurity risk factors were identified, which are inherent to our business and industry. The risk factors discussed in this section should be considered together with information included elsewhere in this Annual Report on Form 10-K and should not be considered the only risks to which we are exposed. Additionally, mitigation of these risk factors is tracked by management as part of our cybersecurity maturity roadmap. Disruptions in the Company s supply chain could result in an adverse impact on results of operations. Network compromise or equipment sabotage could impact the operations of the fulfillment center sites which could impact the revenue. Cybersecurity incidents, including breaches of confidential information, sensitive data, personal information, or intellectual property could damage the company s reputation, disrupt operations, increase costs, and impact revenues. As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable regulatory requirements and industry standards. Our cybersecurity risk management program evaluates the risk associated when selecting third-party service providers. In addition to new vendor onboarding, critical vendors are reviewed annually to ensure understanding of their cybersecurity posture, and their responsibility in protecting our asset appropriately. As of the date of this filing, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information, see Part I, Item 1A, Risk Factors-Risks Related to Our Business . Cybersecurity Governance Cybersecurity is an area of focus for our board of directors, audit committee, and management. As part of our board of directors overall responsibility for oversight of management s general risk identification and management activities, our the audit committee of our board of directors is responsible for the oversight of risks from cybersecurity threats. Members of the audit committee review and discuss with management and our auditors quarterly the Company s cybersecurity risks and the steps that management has taken to protect against threats to the Company s information systems and security and review risk and mitigation steps taken by management related to data privacy. Our cybersecurity risk management and strategy processes are overseen by leaders from our IT Security, external advisors, and legal teams. These individuals are informed about, and monitor the identification, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.

Company Information