Flora Growth Corp. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Flora Growth Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:44:47 EDT.

Filings

10-K filed on 2024-03-28

Flora Growth Corp. filed an 10-K at 2024-03-28 16:44:47 EDT
Accession Number: 0001062993-24-007367

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. We have processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting the data. The data include confidential, proprietary, and business and personal information that we collect, process, store, and transmit as part of our business, including on behalf of third parties. We also maintain a third-party security program to identify, prioritize, assess, mitigate and remediate third-party risks however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. We have implemented numerous policies and procedures concerning cybersecurity matters, which include policies that directly or indirectly relate to encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of the internet, social media, email and wireless and personal devices for both Company business and personal matters while utilizing Company resources, among other relevant topics. These policies go through an internal review process on a periodic basis and are, if needed, updated and re-approved by the appropriate members of management. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information, or intellectual property. Risk from cybersecurity threats, including relating to past incidents, have not materially affected our systems or business. Any significant disruption to our operations or access to our systems could adversely affect our business and results of operations. Further, a penetration of our systems or a third party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation, and reputation risk, which could have a negative effect on our business, financial condition and results of operations. 34 We established an interdisciplinary team to monitor and assess cybersecurity risks on an ongoing basis, which is led by our Chief Financial Officer (“CFO”). It is a cross-departmental team that consists of finance and operations personnel, as well as third party legal and information technology (“IT”) consultants, with all significant implementation efforts executed by our IT consultant, who has extensive experience in IT, enterprise security and cyber risk management. This team is in charge of developing, maintaining and measuring compliance with the cyber risk management program, and dedicates significant resources to cybersecurity and risk management processes to adapt to the ever-changing cybersecurity landscape and to respond to emerging threats in a timely and effective manner. When a potential incident is first detected, the matter is communicated to the CFO as soon as possible so that the Company may work quickly and diligently to re-secure its systems and work to minimize any damage and further risk to it as a result thereof. Upon receipt, the CFO is charged with immediately investigating the report to ensure the existence or possibility of a cyberattack and employs every effort toward thwarting or limiting a cyberattack, if ongoing, to the fullest extent possible to avoid further damage and exposure to the Company and its systems. As soon as an immediate threat or cyberattack is sufficiently contained to permit it, the CFO notifies the Chief Executive Officer of the situation, who is charged to direct the CFO on any additional or special measures to be taken, including but not limited to a Company-wide alert or directive, which the CFO must follow/implement without delay. Questions or concerns relating to a directive’s validity may be confirmed only by the CFO, or a designated executive officer, through a known form of contact not questionably in breach. As soon as reasonably practicable after response efforts commence, the designated executive officers are required to notify the Chair of the Audit Committee of the situation and to thereafter keep the Chair apprised of all material developments, who may escalate the matter to the full Board in the Chair’s discretion. Our emergency response plan also sets forth our procedures for a transition back into normal work practices, as well as security incident investigation, remediation procedures, security incident recovery and mandatory reporting. Our Board of Directors oversees the Company’s aggregate risk profile and risk management process. The Board of Directors administers this oversight function with respect to cybersecurity risks through the Audit Committee, which is responsible for overseeing the Company’s cybersecurity risk management processes, including the steps our management has taken to monitor and control cybersecurity risks.

Company Information