Cardiff Lexington Corp - (CDIX)
10-K Filing Date: March 27, 2024
Risk Management and Strategy
We maintain a technology and cybersecurity program, which includes information security, as part of our overall risk management process with the aim that our information systems, including those of our vendors and other third-parties, will be resilient, effective, and capable of safeguarding against emerging risks and cybersecurity threats.
A key element of our technology and cybersecurity program strategy is fostering training and awareness for our employees.
Our technology and cybersecurity program focuses on the defense, rapid detection and rapid remediation of cybersecurity threats and incidents. Our program also includes cybersecurity policies and a crisis response and management plan that is intended to allow rapid management and response and appropriate communication of cybersecurity threats and incidents.
Our cybersecurity crisis management plan sets forth the items, procedures, and actions we expect to address and follow in the event of a cybersecurity incident, including detection, response, mitigation and remediation. When a potential threat or incident is identified, our cyber security incident response team will assign a risk level classification and initiate the escalation and other steps called for by our plan. All incidents that are initially assessed by the cybersecurity incident response team as potentially high-risk are escalated promptly to our Chief Executive Officer, who will determine whether and what elements of our cybersecurity crisis response and management plan should be activated, including escalation to other senior management. Our Chief Executive Officer will inform our board of directors of cybersecurity incidents, as appropriate, considering a variety of factors, including financial, operational, legal, or reputational impact.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Risk Governance
We are committed to appropriate cybersecurity governance and oversight. Our board of directors oversees management’s processes for identifying and mitigating risks, including cybersecurity and information security risks. As noted elsewhere in this report, we plan to establish a standing audit committee. Once we establish an audit committee, we anticipate that the audit committee will oversee risks related to cybersecurity and report to the full board regarding its activities, including those related to cybersecurity.
Our board of directors meets regularly with our executive management and receives updates on the status and overall effectiveness of our technology and cybersecurity program, relevant information technology operations, any changes in material cybersecurity risks and any significant cybersecurity incidents consistent with our technology and cybersecurity program. The board also discusses with executive management the steps management has taken to monitor and mitigate privacy, data security, and cybersecurity risk exposures, our information governance policies and programs, and major legislative and regulatory developments that could materially impact our exposure regarding privacy, data security risk, and cybersecurity. The board of directors considers cybersecurity as part of our business strategy, financial planning, and capital allocation.
For additional information on our cybersecurity risks, please see Item 1A “Risk Factors—Risks Related to Our Business and Structure—A cyber security incident could cause a violation of HIPAA, breach of member privacy, or other negative impacts.”
32 |