Cannabist Co Holdings Inc. - (CBSTF)

10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY

 

Risk Management and Strategy
 

We continue to make significant investments in our information technology systems pursuant to our operations. We believe that these investments, including additional technology changes to implement our strategic plan, are essential to enhance our overall customer experience, to support our compliance, internal controls and efficiency initiatives, to expand our capabilities to offer new products, and to provide scale for future growth and acquisitions. Our program ensures that we operate with greater efficiency.

The Company is actively engaged in identifying and managing cybersecurity risks. Protecting company data, non-public customer and employee data, and the systems that collect, process, and maintain this information is deemed critical. The Company has an enterprise-wide Information Security Program (“Security Program”), which is designed to protect the confidentiality, integrity and availability of customer non-public information. The Security Program was also designed to protect our operations and assets through a continuous and comprehensive cybersecurity detection, protection and prevention program. This program includes an information security governance structure and related policies and procedures, security controls, protocols governing data and systems, monitoring processes, and processes to ensure that the information security programs of third-party service providers are adequate. Our Security Program also continuously promotes cybersecurity awareness and culture across the organization.

 

The Company also has a business continuity/disaster recovery plan (the “BCP”), which it actively manages to prepare for any business continuity challenges it may face. Our BCP provides for the resiliency and recovery of our operations and services to our customers. The plan is supported and complemented by a robust business continuity governance framework, a life safety program as well as an enterprise-wide annual exercise and training to keep the program and strategies effective, scalable and understood by all employees. We believe both the Security Program and BCP adhere to industry best practices and are subject to periodic testing and independent audits.

Cybersecurity Risk

 

In 2018, the United States Securities and Exchange Commission (the “SEC”) published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. These SEC guidelines, and any other regulatory guidance, are in addition to notification and disclosure requirements under state and federal laws and regulations. If we fail to observe this regulatory guidance or standards, we could be subject to various regulatory sanctions, including financial penalties.

State regulators have been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many states have also recently implemented or modified their data breach notification, information security and data privacy requirements. We expect this trend of state-level activity

80


 

in those areas to continue and are continually monitoring developments where our customers are located.

Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking, and other technology-based products and services by us.

 

Governance

The risks from cybersecurity threats are monitored and managed by the Company’s information systems team members who have relevant expertise with such potential threats, and who operate in collaboration with other Company functions. The Company’s Audit Committee is responsible for overseeing cybersecurity risk and are informed in a timely manner of any incidents considered potentially serious, together with details on the prevention, detection, mitigation and remediation of such incidents.