Aterian, Inc. - (ATER)
10-K Filing Date: March 19, 2024
We have processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting the data. The data includes confidential, proprietary, and business and personal information that we collect, process, store, and transmit as part of our business, including on behalf of third parties. We also use systems and processes designed to reduce the impact of a security incident at a third-party vendor or customer, including assessment and monitoring of security standards and control procedures for external suppliers and vendors, with enhanced engagement or internal controls depending on the results of the assessment.
Additionally, we use processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems, including: technology and systems we use for encryption and authentication; employee email; content delivery to customers; back-office support; and other functions. As part of our risk management process, we conduct application security assessments, vulnerability management, security audits, and ongoing risk assessments. We also maintain a variety of incident response plans that are utilized when incidents are detected. We require employees with access to information systems, including all corporate employees, to undertake data protection and cybersecurity training and compliance programs annually. We have a unified and centrally coordinated team, led by our Chief Technology Officer and our General Counsel, that is responsible for implementing and maintaining centralized cybersecurity and data protection practices at Aterian in close coordination with senior leadership and other teams across Aterian. In addition to our in-house cybersecurity capabilities, at times we also engage assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks. These third parties also consult on best practices to address new challenges upon request. Our cybersecurity risks and associated mitigations are evaluated by senior leadership, including as part of our risk assessments that are reviewed by the Audit Committee and our Board of Directors. As of the date of this report, the Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Despite the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company or its stakeholders.
Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” under the heading “Risks Related to Information and Cyber Security,” which should be read in conjunction with the information above. The Audit Committee, which is comprised of independent directors, oversees our policies and procedures for protecting our cybersecurity infrastructure and for compliance with applicable data protection and security regulations, and related risks. The Audit Committee receives reports regarding such risks from management, including our Chief Technology Officer, and reports to the Board at least quarterly. The Audit Committee also oversees the Board’s response to any significant cybersecurity incidents. Our Chief Technology Officer, who has extensive cybersecurity knowledge and skills gained from over ten years working in the technology industry, heads the team responsible for implementing and maintaining cybersecurity and data protection practices at Aterian, working closely with our General Counsel who has a certification in Data Security and Privacy Policy from Cornell University. Both our Chief Technology Officer and General Counsel report directly to one of our co-CEOs.