MANNATECH INC - (MTEX)
10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity
Overview
Our cybersecurity program is integrated into our overall risk management systems, including our annual enterprise risk management program, business continuity and crisis management programs, third-party risk management program, insurance risk management program, and employee compliance programs. We have implemented and maintain comprehensive processes designed to manage and mitigate material cybersecurity threats to ensure that the company operates in a protected, compliant environment.
Management Oversight
Our cybersecurity governance program is led by the Senior Director of IT Operations. The Senior Director of IT Operations and members of our internal IT team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Specifically, management analyzes the following:
a.effectiveness of (i) the Company’s overall cybersecurity risk management, (ii) management’s procedures for identifying, measuring, and reporting on cybersecurity risk, and (iii) the incorporation of cybersecurity risk considerations into corporate strategy;
b.the Company’s cybersecurity risk profile and risk tolerance;
37
c.significant policies, programs and plan documents related to the management of cybersecurity risk and proposed changes to any of such documents;
d.the Company’s controls to prevent, detect and respond to cyberattacks or information or data breaches;
e.reports from senior management and/or appropriate external subject matter experts related to the monitoring and analysis of the Company’s current threat environment, vulnerability assessments related to cybersecurity risk management, and existing and expected future trends related to cybersecurity relevant to the organization;
f.the Company’s cyber-resiliency, including cybersecurity crisis preparedness, incident response plans, communication plans, and disaster recovery capabilities;
g.the capabilities and qualifications of the Company’s cyber and data privacy personnel; and
h.the Company’s cybersecurity strategy, related priorities and objectives, and the appropriateness of the resources allocated thereto, including, but not limited to, investments in cybersecurity infrastructure.
Our Senior Director of IT Operations oversees a team of analysts and operations support personnel and has extensive experience with the company’s applications and infrastructure. Our senior director reports to our President and Chief Operating Officer, who then communicates directly with the Nominating/Governance and Compliance Committee and the Board.
Risk Management and Strategy
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to maintain the security, confidentiality, integrity, and availability of our business systems and confidential information, including personal information and intellectual property. Our cybersecurity program includes systems and processes for assessing, identifying and managing material risks from cybersecurity threats and include (i) maintenance and monitoring of information security policies aligned with global regulatory controls; (ii) user and employee awareness of cyber policies and practices; (iii) information systems configuration management; (iv) third-party risk management systems; (v) identity and information asset protection; (vi) infrastructure security systems; and (vii) cyber threat operations with continuous monitoring and threat hunting. This program includes processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. We also engage a range of third-party experts in connection with various development, implementation, and maintenance activities related to our cybersecurity program. We have integrated cybersecurity risk into our disclosure controls and procedures.
As of the date of this report, management is not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, operations, or financial condition. However, we are regularly the target of attempted cyber intrusions, and we anticipate continuing to be subject to such attempts. Our security programs and measures do not prevent all intrusions. Cyber intrusions require a significant amount of time and effort to assess and remedy, and our incident response efforts may not be effective in all cases. Although we believe that the probability of occurrence of a significant cybersecurity incident is less than likely, if such an incident were to occur, the impact on the Company could be substantial. See “Item 1A. Risk Factors – Risks Affecting Our Business and Industry – If our information technology system fails or if the implementation of new information technology systems is not executed efficiently and effectively, our business, financial position, and operating results could be adversely affected” of this Annual Report on Form 10-K.
Governance
Our Board of Directors engages in the assessment, oversight, and management of materials risks that could affect the company. The board has delegated to the Nominating/Governance and Compliance Committee the oversight responsibility for our cybersecurity risk management program to ensure that cybersecurity risks are identified, assessed, managed, and monitored. This oversight includes compliance with disclosure obligations and requirements, cooperation with law enforcement, and related effects on financial risks and is responsible for reporting its findings and recommendations to the full board for its consideration. Our IT operations team and other members of management discuss cyber risks and trends, and if they arise, any material incidents with senior executives and the Nominating/Governance and Compliance Committee.
38