Celsius Holdings, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Celsius Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:06:42 EST.

Filings

10-K filed on 2026-03-02

Celsius Holdings, Inc. filed a 10-K at 2026-03-02 16:06:42 EST
Accession Number: 0001341766-26-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy The Company has established a cybersecurity risk management program, designed to identify, assess, mitigate and manage cybersecurity risks, incidents and threats that could potentially impact our business operations. These cybersecurity risk management processes are integrated into the Company's overall enterprise risk management program. Our Cybersecurity Committee, which includes our Chief Financial Officer and key representatives from the Finance, IT and Legal departments, direct our cybersecurity efforts. The Cybersecurity Committee is primarily responsible for monitoring our cybersecurity risk management program, establishing and updating materiality thresholds for reporting cybersecurity incidents and determining whether specific incidents meet established disclosure criteria. The Cybersecurity Committee's role is focused on evaluating incidents against these thresholds to ensure that significant cyber risks are appropriately managed, addressed and if required, disclosed in line with our overarching cybersecurity strategy and policies. The Cybersecurity Committee members rely on the cybersecurity experience of the Company's head of IT Security, which includes more than twenty years of experience in cybersecurity and IT, with focused expertise on cybersecurity strategy, architecture, policy and processes relevant to assessing, identifying and managing cybersecurity risks. Remaining team members have a general familiarity with cybersecurity matters and an understanding of the potential financial impacts, disclosure obligations and enterprise risks to the Company as they relate to cybersecurity. The Company has also established the Cyber Incident Policy. 24 Our Senior Vice President of IT, Security and Infrastructure, is tasked with continuously monitoring our systems and networks for potential cybersecurity threats. The IT department monitors incidents that meet our established materiality thresholds, which encompass items such as cost, potential impact on operations and reputational risks and escalates incidents within our organization for further assessment and responsive action by the Cybersecurity Committee. The Cyber Incident Policy sets forth a process to report cybersecurity incidents that is intended to enable a rapid organizational response to mitigate risks and also to ensure compliance with our public reporting obligations. This process includes incident identification, reporting channels to report any cybersecurity incidents, reporting procedures with respect to information to be included in any incident report, provision for confidentiality of information reported, the initiation of a response process to any reported incident and communication of a reported incident to the Cybersecurity Committee. In addition to our internal reviews, we may from time to time engage external cybersecurity firms to assist with investigations and external cybersecurity experts to evaluate our processes, including conducting penetration tests, and to report on our cybersecurity infrastructure and processes to our senior management and to the Audit Committee of our Board. Our Cyber Incident Policy also establishes procedures for engaging law enforcement should the need arise and defines certain parameters with respect to drafting initial incident reports, technical assessment reports and financial impact reports for review by the Cybersecurity Committee, management, the Audit Committee and the full Board, as appropriate. Our Cybersecurity Committee also reviews cybersecurity incidents affecting our third party service providers as necessary. Upon being notified of a cybersecurity incident at a third party, our Senior Vice President of IT, Security and Infrastructure, or a designated point of contact will promptly contact the third party to understand the details and scope of the incident. An initial report outlining the nature of the incident, affected systems and preliminary impact assessment will be provided to the Cybersecurity Committee, which will appropriately review the matter. Regular communication is to be maintained with the third party with updates provided to the Cybersecurity Committee to enable appropriate steps to be taken and timely public reporting if needed. Cybersecurity Governance and Oversight The governance of our cybersecurity risks involves active and informed participation from our management team, our Audit Committee and our Board. The Audit Committee, which receives regular updates from the Cybersecurity Committee, maintains oversight of our cybersecurity strategies and risks and will consider such updates as part of the Company's overall risk management program. This oversight includes briefings on the nature of the risks we face, the steps we are taking to mitigate these risks and any significant cybersecurity incidents that have occurred. In addition, our Senior Vice President of IT, Security and Infrastructure, will provide reports and updates to the Audit Committee and to the full Board as the need arises. All Board members may attend the meetings of the Audit Committee during which cybersecurity is discussed and will be included in any tabletop exercises as they are planned. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Cybersecurity risks are considered as part of the Company's strategic planning and operational decision-making processes. We continue to monitor potential cybersecurity threats and incorporate findings into our risk management strategies. While the Company maintains processes designed to manage cybersecurity risks, such processes cannot fully eliminate all risks, and certain cybersecurity incidents may not be detected immediately. Further information regarding cybersecurity and related risks is discussed in Part I, Item 1A of this Report.

Company Information