Cricut, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

Cricut, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 19:59:37 EST.

Filings

10-K filed on 2026-03-04

Cricut, Inc. filed a 10-K at 2026-03-04 19:59:37 EST
Accession Number: 0001828962-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. The structure of our information security program is based on the National Institute of Standards and Technology ("NIST") Cybersecurity Framework and other industry standards. We r outinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct periodic risk assessments, including vulnerability scanning and penetration testing, to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include an inventory of assets, followed by identification of reasonably foreseeable internal and external vulnerabilities, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We monitor various cybersecurity resources to remain informed about new and emerging cybersecurity threats and attack vectors. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer ("CISO"), who reports to our Executive Vice President of Platform Development, to manage the risk assessment and mitigation process. As part of our overall risk management system, we monitor and test our safeguards and train our employees on recognizing potential cybersecurity threats and implementing our safeguards. Personnel at all levels and departments are made aware of our cybersecurity policies through periodic trainings. We also conduct tabletop exercises for members of various functional areas on data recovery and incident response. We engage security consultants and other third parties in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards and to conduct regular vulnerability assessments for our internal assets. We manage third-party cybersecurity risk through a risk-based due diligence and oversight program led by our CISO. Before engagement, we assess providers' security controls in proportion to the sensitivity of the data and systems involved. Where risks are elevated, we may require remediation, enhanced monitoring, or independent attestations as a condition of onboarding, and we may decline to engage or restrict access if risks cannot be adequately mitigated. Our contracts require applicable service providers to maintain reasonable security measures, comply with relevant laws and standards, and promptly notify us of any actual or suspected security incident affecting our systems or data. For higher-risk vendors, we conduct ongoing monitoring, and our CISO oversees remediation of any identified deficiencies. While we are not aware of any material data security breaches to date, for additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, "Risk Factors," in this annual report on Form 10-K , including the risk factors under the heading "Risks Related to Privacy, Data Protection and Cybersecurity," which is incorporated herein by reference. Governance Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee. Our CISO and our steering committee on information security, which includes members of our executive management as well as leaders of business functional areas, together with our Privacy and Data Protection Team, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our CISO has over 20 years of experience leading in the information security field at well-known publicly traded technology companies. He also received a CIO Executive Education Certificate from Stanford University. Our CISO and our steering committee on information security oversee our cybersecurity policies and processes, including those described in "Risk Management and Strategy" above. The processes by which our CISO and our steering committee on information security are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the following: risk assessment and management, policy development and implementation, prevention strategies, detection mechanisms, incident response and mitigation, remediation and recovery, reporting and communication, compliance and legal considerations, efforts at continuous improvement, and training and awareness. Our CISO and representatives from our steering committee on information security provide quarterly briefings to the audit committee regarding our company's cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. We maintain a comprehensive set of information security metrics to monitor and manage our cybersecurity program. Management provides the Audit Committee with updates on key cybersecurity performance indicators on a quarterly basis. Because many members of our board of directors regularly attend our audit committee meetings, the full board of directors regularly receives updates on cybersecurity.

Company Information