TILT Holdings Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

TILT Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 17:28:19 EDT.

Filings

10-K filed on 2024-03-22

TILT Holdings Inc. filed an 10-K at 2024-03-22 17:28:19 EDT
Accession Number: 0001558370-24-003790

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company s overall risk management systems, as overseen by the Company s board of directors (the Board ), primarily through its audit committee of the Board (the Audit Committee ). These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. As of the date of this Annual Report on Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition and that are required to be reported in this Annual Report on Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factors in Item 1A. Risk Factors, We are reliant on information technology systems and may be subject to damaging cyber-attacks or security breaches and We are subject to data privacy laws, rules and regulations and any non-compliance with such laws, rules and regulations, could adversely affect our business, financial condition and operating results in this Annual Report on Form 10-K. Governance Board of Directors The Audit Committee oversees, among other things, the adequacy and effectiveness of the Company s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The Audit Committee is informed of material risks from cybersecurity threats pursuant to the escalation criteria as set forth in the Company s disclosure controls and procedures. The Company s Senior Vice President Head of Information Technology ( SVP IT ) provides reports on cybersecurity matters, including material risks and threats, annually or more frequently as appropriate to the Board, including to the Audit Committee. Management Under the oversight of the Audit Committee, and as directed by the SVP IT, Company management is primarily responsible for the assessment and management of material cybersecurity risks. The SVP IT brings over two decades of extensive experience in global technology organizations spanning various industries. With a background encompassing more than 20 years of expertise in information security, risk management, and compliance, the SVP IT has successfully led cyber security initiatives and ensured compliance with regulatory standards such as Payment Card Industry ( PCI ) and Sarbanes-Oxley ( SOX ). The SVP IT is also supported by an Incident Response Team Security Officer ( IRT Security Officer ) who provides cross-functional support for cybersecurity risk management and facilitates the response to any cybersecurity incidents. The Company s IRT Security Officer has completed rigorous cybersecurity awareness and threat response training, equipped with the skills to develop effective incident response plans and swiftly mitigate emerging cyber threats. With expertise in threat detection, incident coordination, and remediation, the IRT Security Officer contributes to enhancing the Company s cybersecurity posture and readiness. All dollar amounts expressed in thousands, except per share amounts 53 Table of Contents The SVP IT oversees the Company s cybersecurity incident response plan and related processes that are designed to assess and manage material risks from cybersecurity threats. The SVP IT also coordinates with the Company s General Counsel and Interim Chief Financial Officer and Chief Accounting Officer (the Interim CFO and CAO ) to assess and manage material risks from cybersecurity threats. The SVP IT is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in the Company s incident response plan and related processes. The Company s Disclosure Committee, with the assistance of its Cybersecurity Subcommittee, is responsible for overseeing the establishment and effectiveness of controls and other procedures, including controls and procedures related to the public disclosure of material cybersecurity matters. The Company s Disclosure Committee is comprised of, among others, the Interim CFO and CAO, General Counsel, Vice President of Investor Relations and Communications, Corporate Controller, and Financial Reporting Manager. The Cybersecurity Subcommittee of the Company s Disclosure Committee is comprised of, among others, the Company s Interim CFO and CAO, SVP IT, General Counsel, Corporate Controller, and IRT Security Officer. The SVP IT, or a delegate, informs the Cybersecurity Subcommittee of certain cybersecurity incidents that may potentially be determined to be material pursuant to escalation criteria set forth in the Company s incident response plan and related processes. The Cybersecurity Subcommittee is also primarily responsible for advising the Disclosure Committee and the Company s CEO and Interim CFO and CAO regarding cybersecurity disclosures in public filings. The SVP IT, with the General Counsel in attendance, also notifies the Audit Committee chair of any material cybersecurity incidents.

Company Information