Nuvera Communications, Inc. - (NUVR)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity Risks

 

Material Effects from Cybersecurity Incidents

 

Our business is subject to risk from cybersecurity threats and incidents, including attempts to gain unauthorized access to our systems or networks, or those of our managers, employees, and third-party vendors and service providers, to disrupt operations, corrupt data or steal confidential or personal information and other cybersecurity breaches. Nuvera considers cybersecurity risk a serious threat to our assets and our people and has put processes in place designed to mitigate the risk and impact of any such cybersecurity threat or incident.

 

27


 

Our operations rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information (including personal information) in our systems and networks. We also rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information in the systems and networks of our customers and third parties, including suppliers, sellers and servicers, financial market utilities, and other third parties. Cybersecurity risks for companies like ours continue to increase. Like many companies and government entities, from time to time we have been, and expect to continue to be, the target of attempted cybersecurity incidents and other information security threats, including those from nation-state and nation-state supported actors.

As of the date of this report we have not experienced or aware of any cybersecurity incidents resulting, or reasonably likely to result in, a material impact to our company, including to our business, financial condition, and results of operations. There is no assurance that our cybersecurity risk management program will prevent cybersecurity incidents from having such impacts in the future.

Additionally, insider threats also remain a risk given our workforce diversification to include contractors, remote workers, part-time employees, and full-time employees. As referenced above, our third-party vendors and service providers and their supply chain connections remain a potential source of risk.

For additional information, see Risk Factors – Risks Related to Our Business. Potential cybersecurity threats are changing rapidly and advancing in sophistication. We may not be able to protect our systems and networks, or the confidentiality of our confidential or other information (including personal information), from cybersecurity incidents and other unauthorized access, disclosure, and disruption.

Cybersecurity Risk Management and Strategy

 

Our cybersecurity program is built upon the National Institute for Standards and Technology and other best practice frameworks. We employ processes for assessing, identifying, and managing material risks from cybersecurity threats, including engaging an independent cybersecurity consultant to audit our systems and procedures, make recommendations for improvement and monitor remediation of any identified risks. We also conduct random vulnerability testing including network penetration testing, phishing and social engineering tests. In addition, we also require Systems and Organization Control (“SOC”) type reports from our service providers for our payroll and human resources system and stock administrator.

 

Although we maintain systems and controls designed to prevent cybersecurity breaches from occurring, and we have processes to identify and mitigate threats, the development and maintenance of these systems, controls and processes is costly and requires ongoing monitoring and updating as technologies change and efforts to overcome security measures become increasingly sophisticated. Moreover, despite our efforts, the possibility of a breach occurring cannot be eliminated entirely. As we engage in more electronic transactions with service customers and vendors, and rely more on cloud-based information systems, the related security risks will increase, and we will need to expend additional resources to protect our technology and information systems. In addition, there can be no assurance that our internal information technology systems or those of our third-party contractors, or our consultants’ efforts to implement adequate security and control measures, will be sufficient to protect us against breakdowns, service disruption, data deterioration or loss in the event of a system malfunction, or prevent data from being stolen or corrupted in the event of a cyberattack, security breach, industrial espionage attacks or insider threat attacks which could result in financial, legal, business or reputational harm.

 

28


 

Cybersecurity Governance

 

All employees of the Company have ownership in managing cybersecurity and data privacy risks, however, oversight responsibility is shared by our BOD, Audit Committee and cybersecurity management team. The Audit Committee is responsible for our cybersecurity policies and provides regularly updates to the BOD Our cybersecurity management team, in conjunction with our third-party chief information security officer (“CISO”), conduct regular assessment and management of material risks from cybersecurity threats, including review with our internal cybersecurity management team. All employees and consultants are directed to report to our cybersecurity management team any irregular or suspicious activity that could indicate a cybersecurity threat or incident.

 

Our cybersecurity management team has primary responsibility for identifying, assessing and managing our exposure to cybersecurity threats and incidents, subject to oversight by the Audit Committee of the BOD of the processes we establish to assess, monitor and mitigate that exposure.

 

If a potentially material cybersecurity threat or incident is identified or discovered, the Company’s Cybersecurity Management Team will trigger our incidence response plan, including notifying our CEO, CFO, General Counsel and other relevant business executives. Our Cybersecurity Management Team, along with our CISO, will work with the appropriate leaders and employees in any impacted business groups, as well as appropriate personnel in our finance, legal and other impacted departments, to assess the risks to the Company and potential impact while determining appropriate remediation steps. If executive management determines that a cybersecurity threat or incident could be material to the Company, our management will notify the Audit Committee, who will escalate the risk to our full BOD, depending on an assessment of the risk.