Expion360 Inc. - (XPON)
10-K Filing Date: March 28, 2024
We maintain an information security and cybersecurity program, as well as a cybersecurity governance framework, which are designed to protect our information systems against operational risks related to cybersecurity.
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats which include, among other things, operational risks, intellectual property theft, fraud or extortion, harm to employees or customers, violation of privacy or security laws and related litigation and legal risk, and reputational risks.
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, and detect and contain any cybersecurity incidents that impact us. We regularly engage with third-party consultants in connection with our cybersecurity risk management program, which is overseen by our Chief Operating Officer. The program is integrated into our overall risk management systems and processes, and includes a cybersecurity risk assessment process that routinely evaluates potential impacts of cybersecurity risks on our business, including our operations, financial stability, and reputation. These assessments inform our cybersecurity risk mitigation strategies. The results are regularly shared with management and the Audit Committee of our Board as part of the committee’s involvement in managing and overseeing cybersecurity risks.
Our cybersecurity risk management program also includes processes to triage, assess the severity of, escalate, contain, investigate, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. If a cybersecurity incident is determined to be a potentially material cybersecurity incident, our disclosure controls and procedures define the steps to determine materiality and disclose such a material cybersecurity incident.
While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our employees, customers, regulators, service providers, and other third parties have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see the section entitled “Risk Factors — If our electronic data is compromised, or we experience a failure in our information technology or storage systems, our business could be significantly harmed.” included within this Annual Report.
29
Cybersecurity Governance
Our Board is actively involved in overseeing risks from cybersecurity threats. At least once a year, our Board discusses our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of our business strategy. Our Audit Committee has the authority to oversee and review the adequacy of our cybersecurity, information and technology security, and data privacy programs, procedures, and policies.
The Audit Committee regularly receives updates from management with respect to our efforts to manage data protection, cybersecurity, and information and technology risks, and assesses the results of reviews from internal audits. Materials presented to our Audit Committee include updates on our data security posture, results from internal audit and third-party assessments, our incident response plan, and certain cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The Audit Committee also regularly engages with Management on technology risk-related topics.
Our processes also allow for our Board and the Audit Committee to be informed of key cybersecurity risks outside the regular reporting schedule. While regular meetings of the Audit Committee are scheduled on a quarterly cadence, the Audit Committee is authorized to meet with management or individual directors at any time it deems appropriate to discuss matters relevant to the committee. Our policy is for the Board and the Audit Committee to receive prompt and timely information regarding any cybersecurity risk (including any incident) that meets reporting thresholds, as well as ongoing updates regarding any such risk.