iANTHUS CAPITAL HOLDINGS, INC. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

iANTHUS CAPITAL HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:31:32 EDT.

Filings

10-K filed on 2024-03-28

iANTHUS CAPITAL HOLDINGS, INC. filed an 10-K at 2024-03-28 17:31:32 EDT
Accession Number: 0000950170-24-038196

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management The Company has processes for identifying, assessing, and managing material risks from cybersecurity threats. These processes are part of the Company s overall risk management process, as overseen by the Company s Board of Directors, with its audit committee having primary responsibility through its ongoing review of the Company s internal controls and reviewing, at least annually, the Company s information security and technology risks (including cybersecurity). These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company, from time-to-time, may engage third-party consultants, advisors, and/or audit firms to evaluate and test the Company s risk management systems and assess and remediate certain potential cybersecurity incidents, as appropriate. Additionally, the Company mandates cybersecurity training as part of its company-wide employee onboarding process including best practices to identify potential cybersecurity threats and how to report such threats. The Company also requires regular ongoing cybersecurity training for employees. Governance Board of Directors The audit committee of the Company s Board of Directors, with the input of management, oversees the Company s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The audit committee is informed of material risks from cybersecurity threats by the Company s Chief Executive Officer, Chief Financial Officer, and Vice President of Information Technology. Any updates on cybersecurity matters, including material risks and threats, are provided to the Company s audit committee, and the audit committee provides updates to the Company s Board of Directors at regular Board meetings. Management Under the oversight of the audit committee of the Company s Board of Directors, and as directed by the Company s Chief Financial Officer, the Vice President of Information Technology is primarily responsible for the assessment and management of material cybersecurity risks, establishing and maintaining adequate and effective internal controls covering cybersecurity matters, and disclosing any material cybersecurity matters faced by the Company. This also includes hiring appropriate personnel and/or third party service providers, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel, including the Company s Chief Financial Officer and, as applicable, the Company s Board. The Company s current Vice President of Information Technology has more than 20 years of experience with information technology and related systems security matters and processes. As of the date of this report, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. 46 Table of Contents See Item 1 A. Risk Factors for more information on the Company s cybersecurity-related risks. 47 Table of Contents

Company Information