Purple Innovation, Inc. - (PRPL)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity Risk Management, Strategy, and Governance

 

In the ordinary course of our business, we receive, process, use, store and share digitally large amounts of data, including user data as well as confidential, sensitive, proprietary and personal information. We depend largely upon our information technology systems in the conduct of all aspects of our operations. Maintaining the integrity and availability of our information technology systems and this information, as well as appropriate limitations on access and confidentiality of such information, is important to our operations and business strategy. To this end, we have implemented processes and systems designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems to prevent adverse effects on the confidentiality, integrity, and availability of these systems and the data residing in them.

 

In 2023, we did not identify any cybersecurity breaches that materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition.

 

Management’s Role

 

Our management team is responsible for monitoring, preventing, detecting, mitigating and remediating cybersecurity incidents. Our chief technology officer has over 40 years of experience and has held various leadership roles in information technology, including serving as a chief information officer and chief technology officer for the last 12 years. He has successfully implemented and managed large enterprise resource planning systems, e-commerce websites, stores and enterprise infrastructure, both cloud-based and on-premise. His expertise extends to evaluating and hiring cybersecurity personnel and outsourced managed services, defining incident response plans, conducting tabletop exercises, and establishing communication protocols with internal executives, board members, and vendors. He has firsthand experience in responding to actual cybersecurity incidents, showcasing a deep understanding of the challenges and complexities within the cybersecurity landscape in the retail sector. Our senior director of cybersecurity and compliance has a 15-year track record as an information technology and information security professional, complemented by an Executive MBA. His career is distinguished by a decade of leadership as the commander of the United States Army cyber protection team (174 CPT), where he gained cybersecurity experience at USCYBERCOM and ARCYBER. He holds multiple professional certifications, including CISSP, PMP and multiple SANS certifications. Our chief technology officer and senior director of cybersecurity and compliance report to the Audit Committee on these matters.

 

We maintain a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cybersecurity risk management processes are being integrated into our overall risk management processes. We are making efforts to incorporate cybersecurity considerations as a part of our business processes. We engage with external cybersecurity experts, including assessors, consultants, and auditors, to enhance our cybersecurity measures and ensure compliance with industry best practices. For example, a comprehensive cyber risk assessment, both physical and logical, was conducted by a third party, serving as an external penetration test to validate our security posture. We have established processes to oversee and manage cybersecurity risks associated with our use of third-party service providers, ensuring they adhere to our security standards. We review third-party service provider contracts to ensure they contain data privacy and security provisions, aligning with our standards and regulatory requirements. Additionally, we have established a Technology Review Committee (“TRC”) tasked with the role of evaluating new software tools and technologies before their implementation. The TRC consists of experts from various domains within our organization, including information technology security, compliance, legal, and operations. This TRC conducts assessments to ensure that any new software tools meet our standards for security, compliance and operational efficiency.

 

46

 

 

Board of Directors Oversight

 

The oversight of our cybersecurity is assigned to the Audit Committee of our Board of Directors. The Audit Committee receives regular reports and briefings from management on our cybersecurity threat risk management and strategy processes, including on topics such as our data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, incident response plans, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to these risks. In addition, management updates the Audit Committee as necessary regarding any material cybersecurity incidents as well as any incidents with lesser impact potential. The Audit Committee received one report from our Senior Director of Cybersecurity and Compliance in 2023.