Vado Corp. - (VADP)
10-K Filing Date: April 16, 2024
Like all companies that utilize technology, we are subject to threats of breaches of our technology systems. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management. Our Board and our management actively oversee our risk management program, including the management of cybersecurity risks. We have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats, including those discussed in our Risk Factors. We have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and shareholder expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure. While there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective, we believe that the Company’s sustained investment in people and technologies have contributed to a culture of continuous improvement that has put the Company in a position to protect against potential compromises, and we do not believe that risks from prior cybersecurity threats have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that past or future attacks will not materially affect us, including our business strategy, results of operations, or financial condition.
Risk Management and Strategy
At a high level, the key objectives for the Company’s cybersecurity program are to implement and sustain effective security controls to stop intrusion attempts and to maintain and continuously improve its ability to respond to attacks and incidents. Success in achieving these objectives relies upon using quality technology solutions, cultivating and maintaining a team of skilled professionals, and improving processes continuously. Our cybersecurity program in particular focuses on the following key areas:
Risk Assessment: At least annually, we conduct a cybersecurity risk assessment that takes into account information from our employees, known information security vulnerabilities, and information from external sources, including reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants. The results of the assessment, which also includes findings from our automated vulnerability scanning tools, are used to regularly update our security protocols, develop initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader Company-wide risk assessment. These updates and initiatives are then reported to our Board and members of management. While there is no documented process for cataloging all digital assets and data, all information is backed up and saved automatically in our Google Suite.
Technical Safeguards: We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.
Incident Response and Recovery Planning: We have established comprehensive incident response and recovery plans that guide our response in the event of a cybersecurity incident.
Third Party Risk Management: We have implemented a third party risk management program, which is designed to identify and mitigate cybersecurity threats associated with our use of third party collaborators. Such collaborators are subject to security risk assessments at the time of onboarding and contract renewal, based on established cybersecurity standards that both parties review to ensure an industry-standard level of security is achieved. However, there is no periodic review process in place for assessing vendor compliance with our cybersecurity standards. We use a variety of inputs in such risk assessments, including information supplied by collaborators in response to detailed questionnaires and meetings as well as information from third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party collaborators, as appropriate.
Education and Awareness: Our policies encourage each of our employees to contribute to our data security efforts. We provide comprehensive training resources, ensuring that each team member is equipped with the knowledge to protect our organization against cyber threats. However, the completion and understanding of this training is not mandatory for all employees. We regularly remind employees of the importance of handling and protecting data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. In this regard, the Company has implemented policies and procedures for all employees including: (i) information security/cybersecurity policies, which are internally available for all employees, (ii) information security/cybersecurity awareness training; (iii) a clear escalation process which employees can follow in the event an employee notices something suspicious; and (iv) ensuring that information security/cybersecurity is part of the employee performance evaluation and/or disciplinary process.