TANDY LEATHER FACTORY INC - (TLF)
10-K Filing Date: March 22, 2024
ITEM 1C.
CYBERSECURITY
Cybersecurity Risk Management and Strategy
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data. The Company’s information security program is managed by its Vice President, Operations and Technology, whose team is responsible for leading Company-wide cybersecurity strategy, policy, standards, architecture, and processes.
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF and AI Risk Management Framework). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program.
14
Key components of our cybersecurity risk management program
The Company’s cybersecurity program includes:
| • | Advanced security infrastructure with state-of-the-art firewalls and intrusion detection systems. |
| • | Regular cybersecurity training for employees. |
| • | Strict data access controls and authentication protocols. |
| • | Continuous monitoring of our networks and systems for signs of unauthorized activity. |
| • | Partnerships with leading cybersecurity software and hardware providers for real-time systems monitoring and threat intelligence. |
In the event of a cybersecurity incident, the Company’s response plan includes:
| • | Immediate containment and assessment of the incident. |
| • | Notification to relevant stakeholders, including officers, board members, investors and customers where appropriate, in compliance with legal and regulatory requirements. |
| • | Cooperation with law enforcement and regulatory bodies as needed. |
| • | Post-incident analysis and measures to prevent future occurrences. |
At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors”.
Cybersecurity Governance
The Company’s Board of Directors oversees management’s cybersecurity strategy. Management provides a full briefing on various cybersecurity risk matters including risk assessments, mitigation strategies, areas of emerging risk and other areas of importance at least annually. In the event of a cybersecurity incident determined to be significant, management will notify the Board.
The Company remains vigilant in its efforts to protect its systems, data, and stakeholders from cybersecurity threats and believes that its proactive and comprehensive approach positions it well to manage these risks effectively.