Verano Holdings Corp. - (VRNOF)

10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY
The Company faces cybersecurity threats such as ransomware and denial-of-service. The Company’s customers, vendors and business partners face similar cybersecurity threats, and a cybersecurity incident impacting the Company or any of these third-party entities could materially adversely affect our operations, performance and results of operations. In particular, the Company emphasizes the importance of cybersecurity as it may receive, store and transmit personal medical and other information relating to its customers, and believes it is imperative to protect this information from potential threats.
Additionally, the Board recognizes the critical importance of maintaining the trust and confidence of the Company’s customers, vendors, business partners and employees. The Board oversees the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company’s Cybersecurity Incident Response Plan (the “Cybersecurity Plan”), which includes the Company’s standards, processes and practices are a component of the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, the Company’s Cybersecurity Plan states that it seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on (i) preserving restrictions on information access and disclosing, including means for protecting the confidentiality of personal private and proprietary information, (ii) guarding against improper information modification or destruction, and (iii) ensuring timely and reliable access to the Company’s information systems.
Risk Management and Strategy
As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas:
Preparing for Cybersecurity Risks: The Company’s Cybersecurity Plan lays out on-going processes for incident response and prevention, including processes for bettering Company cybersecurity response following any cybersecurity incidents. All employees undergo training to aid in understanding the Company’s expectations for safeguarding all data stored on Company cyber networks. In addition to its Cybersecurity Plan, the Company has established risk management guidelines (the “Risk Management Guidelines”) that address the Company’s response to risks, including a cybersecurity incident. The Risk Management Guidelines describe the Company’s policy of managing enterprise risk, including external risks arising from cybersecurity threats and provide that the audit committee of the Board (the “Audit Committee”) will coordinate with and assist the Board in its oversight of risk.
The Company’s Risk Management Guidelines also dictate that the Board will conduct an annual performance evaluation of the Board’s oversight of the Company’s overall risk-taking tolerance and management, conducted in such manner as the Board deems appropriate.
Identify Risks and Notify Company of Risks: The Cybersecurity Plan dictates an approach to identify and confirm expected incidents, to determine the severity of the risk and promptly take basic initial containment steps. The Cybersecurity Plan includes notification processes for certain cybersecurity incidents which aim to inform and activate an incident response team consisting of officers and employees at the Company and certain external service providers.
Containment, Eradication and Recovery: The Company’s Cybersecurity Plan includes processes for containing ongoing cybersecurity threats if they occur and preventing past malicious activity, providing proposed solutions to malicious activity, and recovering any business processes with the goal of restoring business operations.
Third-Party Risk Management: The Company’s Cybersecurity Plan contemplates a Company response to cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
65

Use of Third-Party Vendors: Per the Company’s Risk Management Guidelines, the Board may, in its discretion, delegate all or a portion of its duties and responsibilities to other committees of the Board. While the Board has not yet engaged assessors, consultants auditors or other third parties to aid in processes related to cybersecurity threats, any such committee will have the resources and authority appropriate to discharge its duties and responsibilities, including the authority to select, retain, terminate, and approve the fees and other retention terms of special or independent counsel, accountants or other experts, as it deems appropriate, without seeking approval of the Board or management. The Company may, from time to time, engage third party vendors to assist in developing, identifying and managing risks.
Governance
Board Oversight: The Board has reviewed and discussed with management, the Company’s risk assessment process, risk management framework and reporting mechanisms, implementation and monitoring, including as each of these relates to cybersecurity risks. The Audit Committee coordinates and assists the Board in its oversight of risk. The Board and Audit Committee each receive presentations and reports on Company risks, including cybersecurity risks. The Cybersecurity Plan also contemplates that the Board will also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Board has discussed the Company’s approach to cybersecurity risk management with the members of management, including the Company’s Executive Vice President of Information Technology.
Management: The Company has a Cyber Incident Response Team (the “IRT”), which is comprised of employees including, among others, the Executive Vice President of Information Technology, the Chief Financial Officer (“CFO”), the Chief Operations Officer (“COO”) and the Chief Legal Officer (“CLO”), as well as potential outside advisors and service providers, as deemed appropriate. The Cybersecurity Plan contemplates that, in the case of a cybersecurity risk, Executive Vice President of Information Technology, in coordination with the IRT, will work collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, the Cybersecurity Plan contemplates that multidisciplinary teams throughout the Company will be deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the Cybersecurity Plan dictates that the Executive Vice President of Information Technology and the IRT monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Board when appropriate.
The Executive Vice President of Information Technology has served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Officer of other public companies.
Past Incidents
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. See Item 1A of Part 1 – “Risks Related to our Business and Operations – Information Technology, Cybersecurity and Intellectual Property” for additional information on risks related to cybersecurity threats.
66