GameSquare Holdings, Inc. 10-K Cybersecurity GRC - 2024-04-16

Page last updated on April 16, 2024

GameSquare Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-16 16:02:07 EDT.

Filings

10-K filed on 2024-04-16

GameSquare Holdings, Inc. filed an 10-K at 2024-04-16 16:02:07 EDT
Accession Number: 0001493152-24-014809

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company has developed an information security program to address material risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. A risk assessment, based on a method and guidance from a recognized national standards organization, is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls that are used to some extent include endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, and vulnerability and patch management. Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used in selected areas to conduct assessments, such as vulnerability scans and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring. The Company has a written incident response plan and conducts tabletop exercises to enhance incident response preparedness. Business continuity and disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. Employees undergo security awareness training when hired and annually. The Company has a Governance, Risk, and Compliance (GRC) function to address enterprise risks, and cybersecurity is a risk category addressed by that function. The Company has a privacy and security governance committee. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon. Governance The Chief Information Security Officer (CISO) is the management position with primary responsibility for the development, operation, and maintenance of our information security program. The Company s CISO should have experience in managing cybersecurity risks & protocols, data protection protocols, and managing protocols for Cloud/IT/web security vulnerabilities. The CISO briefs the Company management team quarterly regarding general security updates or as needed when security incidents are identified. Oversight of the information security program at the Board level sits with Audit Committee.

Company Information