urban-gro, Inc. - (UGRO)

10-K Filing Date: March 28, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risks
We rely on information technology systems and networks to process, transmit, and store electronic information in our operations, including our proprietary business information and that of our customers, suppliers, and employees. We use various information technology systems and networks to manage our operations and maintain effective internal control over financial reporting. We also collect and store sensitive data, including intellectual property, proprietary business information, and personal information of our customers, suppliers, and employees, in our data centers and on our networks. The secure operation of these information technology systems and networks, and the processing and maintenance of this information, are critical to our business operations and strategy.
Despite our security measures, our information technology systems and networks may be subject to damage, disruption, or unauthorized access due to a variety of factors, including cyberattacks by computer hackers, computer viruses, ransomware, phishing, denial-of-service attacks, physical or electronic break-ins, employee error or malfeasance, power outages, natural disasters, or other catastrophic events. Any such damage, disruption, or unauthorized access could compromise our networks and the information stored there could be accessed, publicly disclosed, lost, or stolen. Any such access, disclosure, or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, regulatory penalties, disruption to our operations, damage to our reputation, loss of customers, potential harm to our competitive position, and additional costs to remediate the issue.

Cybersecurity Practices
We have implemented various measures to manage our risk of information technology systems and networks damage, disruption, or unauthorized access, including employee training, monitoring of our systems and networks, maintenance of backup and protective systems, and use of modern endpoint detection and response tools which are integrated into urban-gro's risk management systems and processes. We also operate in a fully cloud-based environment, which enhances our scalability, flexibility, and resilience and utilize 3rd parties to perform early internal and external vulnerability assessment and risk identification. We have established extensive backup and recovery procedures to ensure the continuity of our operations in a cyber incident. We also maintain cyber liability insurance coverage as part of our comprehensive risk management program. However, these measures may not be sufficient to prevent, detect, or mitigate the impact of such damage, disruption, or unauthorized access. Moreover, the regulatory environment related to information security, data protection, and privacy is increasingly demanding and complex, and compliance with applicable laws and regulations may result in significant costs or require changes in our business practices that could adversely affect our operations.

Cybersecurity Leadership
Our Board of Directors is actively involved in overseeing our cybersecurity risk management. Our Board of Directors receives quarterly updates on our cybersecurity posture, threats, and incidents from our Senior Vice President of Technology. Our Board of Directors also delegates certain oversight functions to our Audit Committee, which reviews our cybersecurity policies, procedures, controls, and audit results. Our Board of Directors and our Audit Committee regularly assess the adequacy of our cybersecurity risk management framework and the effectiveness of our mitigation strategies.
Our cybersecurity operations are led by our Senior Vice President of Technology, who has over 20 years of experience in the field of cybersecurity. He is responsible for developing and implementing our cybersecurity strategy, policies, standards, and practices. He also oversees our cybersecurity team, which includes a staff member who recently completed his master's degree in cybersecurity. Our cybersecurity team monitors, detects, responds, and reports on cybersecurity threats and incidents, and coordinates with our internal and external stakeholders to ensure the security of our information assets.
urban-gro adheres to the NIST Cybersecurity Framework 2.0, which provides a set of standards, guidelines, and best practices to manage cybersecurity-related risks. We have developed and documented our systems disaster recovery plan, which outlines the roles, responsibilities, and procedures for restoring our critical systems and data in the event of a cyber incident. We have
26-


also crafted over 12 internal policies to help maintain a secure environment, such as our information security policy, our data classification policy, our incident response policy, and our password policy. We regularly conduct phishing simulations, vulnerability scans, penetration tests, and audits to test the effectiveness of our controls and backups, and to identify and remediate any gaps or weaknesses in our cybersecurity posture.
Cybersecurity Incidents
Despite our efforts to prevent and mitigate cybersecurity incidents, we cannot guarantee that we will not experience any breaches, disruptions, or unauthorized access to our information technology systems and networks. We have experienced, and may continue to experience, cybersecurity incidents that could have a material adverse effect on our business, financial condition, results of operations, and prospects. For example, in 2019, we were a victim of a wire fraud scheme, in which a fraudulent party compromised the email account of one of our employees and sent a fraudulent wire transfer request to our bank. We believe the bank did not follow its verification procedures and executed the wire transfer without our authorization. Please see Legal Proceedings section for more information. After this incident, we implemented multi-factor authentication (MFA) across all our systems and email accounts, to prevent unauthorized access and impersonation. We also enhanced our internal controls and training to prevent and detect wire fraud and other cyber risks.