Goodness Growth Holdings, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Goodness Growth Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:02:16 EDT.

Filings

10-K filed on 2024-04-01

Goodness Growth Holdings, Inc. filed an 10-K at 2024-04-01 16:02:16 EDT
Accession Number: 0001558370-24-004519

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy The Company integrates risk management into its overall cybersecurity strategy and has implemented processes designed to identify, assess, prioritize, and manage risks to protect data, intellectual property, and information assets. As part of our risk governance and management, the Company has developed procedures to identify and evaluate risks, measure them against predefined criteria, devise and execute strategies to mitigate identified risks, continuously monitor and review risk profiles, and communicate risks to relevant stakeholders. Addressing cybersecurity risks involves a comprehensive approach that encompasses both internal assessments and external information sources. For instance, the Company engages in security assessments conducted by internal and external experts to ensure compliance with security policies and industry frameworks and vulnerability assessments to discover vulnerabilities in networks, systems and applications. The Company has strategically reduced its hardware footprint by eliminating on-premise datacenters and moving IT infrastructure into cloud-hosted and Software as a Service (SaaS) providers. As a result, the Company is streamlined and agile to respond quickly to market fluctuations and changes in the industry. Additionally, the Company leverages cloud-hosted and SaaS providers that offer Service Level Agreements (SLAs) and adhere to compliance and regulatory requirements for the industry. We oversee third-party service providers by conducting vendor diligence upon onboarding and additional monitoring. Vendors are assessed for risk based on the nature of their services, access to data and systems and supply chain risk. The Company performs ongoing risk assessments that evaluate IT systems and assess the likelihood of occurrence, estimate potential impact, and plan for remediation. Cybersecurity Governance Cybersecurity risk management is overseen by the Company s Vice President of Information Technology and Security who is supported by full-time information security staff. The Vice President of Information Technology and Security advises the executive team on the development and implementation of the information security program. The Company incorporates learning from its cybersecurity risk management process into its overall cybersecurity program. To date, the Company has not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our efforts, we cannot provide assurance that we will not be materially affected in the future by cybersecurity risks or any future material incidents. For more information, see Item 1A. Risk Factors, We face risks related to our information technology systems, including potential cyber-attacks and security and privacy breaches . The Board and executive team provide regular oversight of the Company s cybersecurity risk management program. The Vice President of Information Technology and Security presents to the Board and the executive team regularly with updates via business review dashboards. The Board and executive team provide guidance, including with respect to any changes to business priorities, risk tolerance, or security initiatives. 51 Table of Contents

Company Information