Clever Leaves Holdings Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Clever Leaves Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:39:49 EDT.

Filings

10-K filed on 2024-04-01

Clever Leaves Holdings Inc. filed an 10-K at 2024-04-01 16:39:49 EDT
Accession Number: 0001819615-24-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber Security Integrated Risk Management Management is responsible for the day-to-day management of our risk exposures in a manner consistent with the strategic direction and objectives established by the Board. As a critical component of our risk management process, management has adopted an integrated risk management framework to continuously identify, assess, measure, prioritize, manage, monitor and report current and emerging information security related risks, including risks associated with our use of third-party service providers. As part of this framework, we have an Enterprise Risk Management ( ERM ) program which is implemented across the Company to promote a strong Company-wide culture of risk management, compliance, and control. Our processes for assessing, identifying and managing information security risks and vulnerabilities are embedded across our business as part of our ERM program. As part of ERM program, we perform risk assessments in which we map and prioritizes information security risks identified and addressed through a multi-faceted approach of processes described here, including third party assessments. We execute periodic audits and tests of our information system security controls in-house such as a vulnerability analysis of the information and the infrastructure of our sites. We engage third-party services to assist in designing the ITGC controls and evaluating them periodically either through independent audits or consulting on best practices to address new challenges. These evaluations include both the design and operational effectiveness of the controls. Our risk management program also assesses third party risks, and we perform third party risk management to identify and mitigate risks from third parties such as vendors and suppliers associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third party service providers. Among other things, we conduct periodic infrastructure monitoring including assessment of existing technology hardware and software configurations, patches and updates and also implement automated tools. We provide recurrent information security awareness training for employees and carry out periodic campaigns related to safety awareness which include interactive activities involving the employee participation. Additionally, we have also implemented incident management protocols to analyze, remediate, and respond to activities that implicate potential risk to data and information. Through this methodology we remediate information security incidents and comply with potential legal obligations mitigating brand and reputational damage. Impact of Risks from Cybersecurity Threats We have identified a material weakness in our information technology general controls. These controls over user access to certain information technology systems that support our financial reporting process were not properly designed and implemented. We have since made efforts to remediate the identified material weakness. There have otherwise been no risks from cybersecurity threats at the Company to date that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Governance. The board of directors of the Company (the Board ) has oversight responsibility for our risk management framework, including technology and cybersecurity risks facing the Company. The ERM program enables the board to establish a mutual understanding with the management of the effectiveness of its information security risk management practices and capabilities 32 Table of Contents including the division of responsibilities for reviewing its information security risk exposure and risk tolerance, tracking emerging information risks, and reviewing for proper escalation of certain key risks for periodic review by the Board. The Board receives briefings from management and security and technological infrastructure team on enterprise-wide technology, cybersecurity risk management and the overall technology and cybersecurity environment by management. Specifically, the Board receives an Annual Security Information Report which details the plan for cybersecurity management, reviews the result of the implementation of threat control activities and conclusions for the period evaluated. Role of Management In addition to the risk management activities undertaken under the ERM Program, where management assesses and manages material risks from cybersecurity threats, our security and technological infrastructure team led by Technology Infrastructure and Security Manager, is responsible for day-to-day identification, assessment and management of the information security risks we face. Personnel in our security and infrastructure team collectively have decades of experience in information security, information technology and cybersecurity operations. These personnel are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents detected through automated detection and monitoring tools. The team manages and continually enhances the Company s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. In the event of a cybersecurity incident, the Company is equipped with an incident response plan that includes procedures such as: (i) reporting of the incident through a ticket management tool designated by the Company, (ii) identification and analysis, (iii) monitoring, containment, and eradication, (iv) remediation and creation of controls, and (v) lessons learned and preparation for future incidents. The Technology Infrastructure and Security Manager provides regular updates to the Board concerning the Company s technology and cybersecurity programs, associated risks and the Company s efforts to help mitigate those risks.

Company Information