Cadre Holdings, Inc. - (CDRE)

10-K Filing Date: March 12, 2024

Item 1C. Cybersecurity

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We conduct annual risk assessments to identify cybersecurity threats. These risk assessments include identifying reasonably foreseeable potential internal and external risks, the likelihood of occurrence and any potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, controls, and other safeguards in place to manage such risks. As part of our risk management process, we may engage third party experts to help identify and assess risks from cybersecurity threats.

Following these risk assessments, we design, implement, and maintain reasonable safeguards to minimize the identified risks; reasonably address any identified gaps in existing safeguards; update existing safeguards as necessary; and monitor the effectiveness of our safeguards. We believe that we have allocated adequate resources to address the cybersecurity threats that may affect the Company. Our Vice President of Information Technology and our Information Security Officer manage the Company’s cybersecurity risk assessment as well as mitigation process and also oversee our Incident Response Team which also includes Vice Presidents of Legal, Human Resources and Tax. The Company also participates in a cybersecurity risk insurance policy.

For additional information regarding cybersecurity threats that may materially affect the Company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K , including the risk factors entitled “We may be subject to disruptions, failures or cyber-attacks in our information technology systems and network infrastructures that could disrupt our operations, damage our reputation and adversely affect our business, operations, and financial results,” and “We rely on information technology systems, including third-party cloud-based solutions, and any failure of these systems due to outages and/or cyberattacks may result in disruptions or outages, loss of processing capabilities, and/or loss of data, any of which may have a material adverse effect on our business, operations, and financial results.”

Governance

One of the functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board of Directors is responsible for overseeing and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole and through its committees. In particular, the Audit Committee of our Board of Directors plays a large role in overseeing and assessing our financial, legal and operational risks, and receives reports from the management team regarding organizational risk as well as particular areas of concern, which includes, but is not limited to cybersecurity risks, related mitigation, and other related responses and activities.

32

Our Vice President of Information Technology and our Information Security Officer are primarily responsible for assessment and management of material risks from cybersecurity threats.

Our VP of Information Technology oversees key cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our Board of Directors and Audit Committee are informed at least annually about the Company’s policies and processes to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. In addition, the VP of Information Technology will also report any cybersecurity risks and activities including but not limited to any cybersecurity threats and related responses and any cybersecurity systems testing.