Ascend Wellness Holdings, Inc. - (AAWH)
10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
The operation of our businesses is dependent on the secure functioning of our computer infrastructure, digital information systems, and third-party hosted services. We use these systems to maintain sensitive business and customer data, operate record-keeping and accounting functions, process business transactions, and for other key aspects of our business.
We rely on a multidisciplinary team, including our information technology (“IT”) department, management, and third-party service providers to identify, assess, and manage cybersecurity threats and risks. Our information security program utilizes various security tools and strategies, including risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, and employee training. We also work with third parties that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, consulting firms, and threat intelligence service providers.
Our cybersecurity risk management is integrated into our overall risk management system. Our IT department works closely with our management and other relevant teams to regularly assess and identify possible material risks from cybersecurity threats, including, but not limited to, financial, operations, reputational and regulatory impact to the Company, as well as impacts on our employees and customers. Their risk assessment results are reported on at least a quarterly basis to our Executive Compliance Committee, as described further below, to identify and assess short-, medium- and long-term risks, and to ensure adequate mitigation strategies are implemented.
Our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity-related risks, see “Risk Factors – We face risks related to our information technology systems, and potential cyber-attacks and security breaches.”
68
Cybersecurity Governance
Our management leads our cybersecurity risk assessment and management processes and oversees their implementation and maintenance. Our information security program is coordinated by our IT department, led by our Senior Vice President of Information Technology, who has 27 years of industry experience in IT, with responsibility for enterprise security, and cyber risk management including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Supporting team members have relevant educational and industry experience, including holding similar technology positions at other companies.
Management, in coordination with our IT department, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Management is responsible for approving budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Our incident response processes include reporting to the Executive Compliance Committee, which includes our executive officers and leaders from the IT, compliance and legal teams, as well as to the Board for certain cybersecurity incidents.
Our Board holds oversight responsibility over the Company's strategy and risk management, including material risks related to cybersecurity threats. Members of the Board receive updates on a quarterly basis from senior management and the Executive Compliance Committee, including the reporting of emerging or existing cybersecurity risks, mitigation strategies employed to manage these risks, any cybersecurity and data privacy incidents, and status on key information security initiatives. In addition, our SVP of IT annually provides an overview of our information security program to the Board, including a summary of key performance indicators.
69