Leatt Corp - (LEAT)

10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy. 

We rely on information technology and data to operate our business and develop, market, and deliver our products to our customers. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to critical computer networks, third party hosted services, communications systems, hardware, software, and our critical data includes confidential, personal, proprietary, and sensitive data, collectively our "Information Assets". Accordingly, we maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business.

The Company's general risk management program is designed to manage identified material risks, which would include material cybersecurity risks. We engage in processes designed to identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry's risk profile, evaluating threats reported to us, coordinating with law enforcement concerning threats, conducting threat assessments for internal and external threats, and conducting vulnerability assessments to identify vulnerabilities. We rely on a multidisciplinary team (including from our information security function, management, and third-party service providers, as described further below) to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats.

Depending on the environment, we implement and maintain various technical, physical and organizational measures designed to manage and mitigate material risks from cybersecurity threats to our Information Assets. The cybersecurity risk management and mitigation measures we implement for certain of our Information Assets include: policies and procedures designed to address cybersecurity threats, including an incident response plan, vulnerability management policy, and disaster recovery/business continuity plans; incident detection and response tools; internal and/or external audits to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls; documented risk assessments; implementation of security standards/certifications; encryption of data; network security controls; threat modeling; data segregation; physical and electronic access controls; physical security; asset management, tracking and disposal; systems monitoring; vendor risk management program; employee security training; penetration testing; cyber insurance.

We work with third parties from time to time to identify, assess, and manage cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, and penetration testing. To operate our business, we utilize certain third-party service providers to perform a variety of functions, such as outsourced business critical functions, clinical research, professional services, SaaS platforms, managed services, IT asset management, cloud-based infrastructure, data center facilities, content delivery, encryption and authentication technology, corporate productivity services, and other functions.

We have certain vendor management processes designed to help to manage cybersecurity risks associated with our use of certain of these providers. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, conducting on-site inspections, requiring their completion of written questionnaires regarding their services and data handling practices, and conducting annual re-assessments during their engagement.

33


To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. However, due to evolving cybersecurity threats, we may not be able to protect all information systems. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, "Risk Factors," which should be read in conjunction with the foregoing information.

Governance. 

Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including a dedicated information technology manager, who reports to the CEO. Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into the company's overall risk management strategy, and for communicating key priorities to employees, as well as for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes involve management, who participates in our disclosure controls and procedures.

Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances, including work with the company's incident response team to help the company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the company's incident response processes include reporting to the Board of Directors for certain cybersecurity incidents.

Management is involved with the Company's efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures, testing of incident response plans, engagement of vendors to conduct penetration tests. Management participates in cybersecurity incident response efforts by being a member of the incident response team and helping direct the company's response to cybersecurity incidents. The Board of Directors is responsible for overseeing the company's cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.