VISTA GOLD CORP - (VGZ)
10-K Filing Date: March 14, 2024
Description of Processes for Assessing, Identifying and Managing Cybersecurity Risks
Vista’s system of internal controls includes consideration of cybersecurity risks. The Company uses technology and control procedures designed to mitigate cybersecurity risks, with our management team working to monitor, identify, assess, and
22
respond to potential cybersecurity incidents that may threaten the Company. The system of controls also focuses on security awareness and training for employees and contractors with access to Company facilities or systems. Company management periodically reviews system and organization control reports (SOC 1, Type 2) for key outsourced information systems to ensure that third-party data processing is subject to appropriate controls and security measures. Cybersecurity risks for Vista include the potential for financial loss, loss of data, and business interruption. Vista maintains technology and non-technology-based system controls, a data backup program, and disaster recovery testing to mitigate these risks.
Our cybersecurity controls also follow defense in depth principles, which aim to implement various layered access control, detection, prevention, and response measures. We periodically engage with third parties to assess our vulnerabilities and help us mitigate cybersecurity-related risks.
Management’s Role in Assessing and Managing Cybersecurity Risks
The Company’s chief executive officer (“CEO”) and chief financial officer (“CFO”) have primary responsible for cybersecurity risk management and the implementation of processes for identifying, assessing, and managing material risks from cybersecurity threats. Officers of the Company and its Australian subsidiary review, at least quarterly, developments relevant to the Company’s cybersecurity control environment. This group of officers has experience managing public companies and overseeing internal controls associated with cybersecurity. Additional support for IT general controls and specific cybersecurity matters is provided to the Company through third-party IT specialists. Per the Company’s policies, including its Disclosure Policy and Code of Business Conduct and Ethics, cybersecurity incidents are to be immediately reported to the Vista management team for resolution. Information technology general controls, including controls to mitigate cybersecurity risks, are considered by management during their assessment of the Company’s design and effectiveness of internal controls over financial reporting. Findings from these control procedures are considered by management and, as deemed appropriate to reduce cybersecurity risks to an appropriately low level, are implemented. This may include modification of internal control procedures, adoption of technology solutions, and testing of specific elements of the system of controls.
Board of Director’s Oversight of Risks from Cybersecurity
Management, under supervision of the Company’s CEO and CFO, has developed a system of internal controls that identifies risks to the Company, designed controls intended to reduce risks to an appropriately low level, implemented control procedures, and subsequently tested such control procedures. Management presents an enterprise risk management assessment to the Audit Committee on a quarterly basis and provides the Audit Committee with frequent updates of specific financial statement risks. Risks associated with cybersecurity are included in these risk assessments, subjected to testing of key controls, and reflected in management’s reports to the Audit Committee. The full Board of Directors receives periodic briefings on selected risk matters, and is invited to participate in each Audit Committee meeting and, as such, provided with the same information presented to the Audit Committee.
No Previous Material Cybersecurity Threats
We are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. Despite the security and risk management measures that we have implemented and any additional measures we may implement or adopt in the future, our facilities and systems, and those of our third-party service providers, have been and are vulnerable to security breaches, computer viruses, lost or misplaced data, programming errors, scams, burglary, human errors, acts of vandalism, misdirected wire transfers, or other malicious or criminal activities. A successful attack on our information or operational technology systems could have material consequences to the Company. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.
23