Charlotte's Web Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Charlotte’s Web Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 07:09:27 EDT.

Filings

10-K filed on 2024-03-21

Charlotte’s Web Holdings, Inc. filed an 10-K at 2024-03-21 07:09:27 EDT
Accession Number: 0001750155-24-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy: The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. The Company has designed and implemented a cybersecurity incident response plan and related processes, which are overseen by a team of internal cybersecurity professionals, including individuals with over ten (10) years experience handling vulnerability and security management, system upgrades, mitigation initiatives, user education and system re/accreditation. The Company provides regular desk-top educational training and incident simulation exercises to better address potential cyber security incidences and response thereto. Cybersecurity threats are identified by the Incident Response Team (“Response Team”) pursuant to the Cybersecurity Response Policy (“Cybersecurity Policy”) and escalated to the Enterprise Risk Management Executive Committee (“ERM Committee”) or member thereof pursuant to criteria set forth in this policy (See Governance Management below for further discussion of the ERM Committee and the members of management comprising the ERM Committee). These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. 54 The Company s Chief Digital and eCommerce Officer (CDEO) oversees the Company s incident response plan and related processes designed to assess and manage material risks from cybersecurity threats. The CDEO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in the Company s incident response plan and related processes. The experience of our Response Team includes cybersecurity incident response, in-depth security assessments and security evaluation exercises to evaluate security profile, security research, education and outreach, and security tool development. The Company does not use any third-party consultants for assessment, management or identification of cyber security risks. The Response Team conducts regular internal testing of the Company s cyber security systems. Governance: Board of Directors The Audit Committee operates under a written charter adopted by the Company s board of directors. The Audit Committee oversees, among other things, a system of internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The Audit Committee is also responsible for the adequacy and effectiveness of the Company s internal controls, including those internal controls that are designed to assess, identify, and manage material risks from cybersecurity threats. The Audit Committee is informed of material risks from cybersecurity threats pursuant to escalation criteria set forth in the Company s disclosure controls and procedures. Further, the ERM Committee reports material risks from cybersecurity threats to the Company s Audit Committee and/or board of directors on a regular basis. The Company s Board of Directors has received training on cyber security and governance of the Company s processes for minimizing threats and response to incidences. Management The Company s management, including members of its ERM Committee, the Response Team, and the Company s CDEO, assess and manage material risks from cybersecurity threats. The ERM Committee is responsible for establishing and monitoring the integrity and effectiveness of controls and other procedures, which are designed to ensure that (1) all information required to be disclosed is recorded, processed, summarized, and reported accurately and on a timely basis, and (2) all such information is accumulated and communicated to the Audit Committee, as appropriate, to allow for timely decisions regarding such disclosures. The controls and procedures subject to the ERM Committee s oversight include processes related to managing material risks from cybersecurity threats. Accordingly, the Company s cybersecurity risk management processes have been integrated into the Company s overall enterprise risk management processes. The Chief Executive Officer, Chief Financial Officer, Chief Commercial Officer, Chief Operating Officer, and General Counsel comprise the Company s ERM Committee. The ERM Committee is responsible for establishing and monitoring the integrity and effectiveness of controls and other procedures, including controls and procedures related to managing material risks from cybersecurity threats, which are designed to ensure that (1) all information required to be disclosed is recorded, processed, summarized, and reported accurately and on a timely basis, and (2) all such information is accumulated and communicated to management and the Audit Committee, as appropriate, to allow for timely decisions regarding such disclosures. The CDEO or a delegate thereof informs the ERM Committee of cybersecurity incidents that may be material pursuant to escalation criteria set forth in the Company s Cybersecurity Policy and related processes. The CDEO regularly reports to the ERM Committee concerning material risks from cybersecurity threats to the extent necessary pursuant to the escalation criteria set forth in the Company s processes described herein. As of the date of this Annual Report on Form 10-K, the Company is not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional information concerning risks related to cybersecurity, see Item 1.A. Risk Factors. 55

Company Information