Page last updated on February 26, 2026
Cronos Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 07:38:28 EST.
Filings
10-K filed on 2026-02-26
Cronos Group Inc. filed a 10-K at 2026-02-26 07:38:28 EST
Accession Number: 0001656472-26-000016
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY. Our cybersecurity processes include : - Security awareness online training for personnel with Company email, at least annually; - Periodic updates and reminders distributed to personnel with Company email relating to cybersecurity awareness and trends; - Phishing tests for personnel with Company email on a periodic basis; - Reviews of certain third-party vendors' information security programs (as discussed below); - Periodic reviews of industry standards to strengthen our practices and policies, on an ad hoc basis; - Electronic monitoring and logging of the majority of our technology environments to identify cybersecurity events, including the use of a security information and event management system; - Periodic assessments of existing technology hardware configurations, patches, security and lifecycle; and - Periodic assessments, in consultation with software providers, of existing software versions, configurations, patches and updates. Certain information technology general controls are reviewed and tested as part of our internal control over financial reporting. We rely on third-party services for penetration testing, security incident monitoring and security awareness online training. We generally manage our enterprise-wide cybersecurity program and processes, incident response preparation and end point protection, and internally, with the assistance of third-party service providers as we deem appropriate. Before engaging third-party service providers to whom we grant access to our information technology systems, we may review their information security programs, depending on the feasibility of such review and our assessment of the level of risk the third-party service provider poses to our business operations and our information technology and financial reporting systems. We determine risk level based on internally developed criteria. We do not, however, review the information security programs of all third-party vendors. Where feasible, we also conduct periodic reviews (typically annual) of certain third-party service providers, particularly service providers of financial, financial reporting and accounting systems, depending on our assessment of the level of risk to our business operations and our information technology and financial reporting systems. To date, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a materially adverse effect on our business, including our business strategy, results of operations and financial condition. However, there can be no assurance that our processes and procedures will prevent or timely detect a cybersecurity incident. For more information regarding risks from cybersecurity threats, see " Risk Factors-Risks Relating to Our Products-Risks Relating to Production and Distribution of Products ." Our Board has delegated oversight of our program for assessing, monitoring and mitigating cybersecurity risks to our Audit Committee. Our Audit Committee receives periodic reports on our program for assessing, monitoring and mitigating cybersecurity risks. In addition, as part of its overall responsibility for overseeing the adequacy of the Company's internal control over financial reporting, our Audit Committee receives periodic reports about our financial reporting information system controls and security. Our Information Systems department , in addition to managing our general information technology systems, is also responsible for managing our enterprise-wide cybersecurity processes. Our Information Systems department has a dedicated cybersecurity professional who, in conjunction with a third-party managed security service provider ("MSSP"), implements, manages, and monitors our cybersecurity systems. Personnel in our Information Systems department, together with personnel at the MSSP, collectively have decades of experience in information security, information technology and cybersecurity operations. The MSSP monitors and receives notifications of potential cybersecurity incidents detected through automated detection and monitoring tools, which are communicated to personnel within our Information Systems department. In the event we discover a material cybersecurity incident, Information Systems personnel report such incident to our Senior Vice President, Global Head of People and Technology, who then reports to our Chief Executive Officer and the Audit Committee, as appropriate. We do not currently have a Chief Information Security Officer; however, we do have a professional solely dedicated to enterprise-wide cybersecurity processes, as well as overseeing our MSSP relationship.
Company Information
| Name | Cronos Group Inc. |
| CIK | 0001656472 |
| SIC Description | Medicinal Chemicals & Botanical Products |
| Ticker | CRON - Nasdaq |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 31 |