MARIMED INC. - (MRMD)
10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company’s overall risk management systems, as overseen by the Company’s board of directors, primarily through its audit committee. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company engaged a third party consulting firm to evaluate and test the Company’s risk management systems and to assess and remediate potential cybersecurity incidents as appropriate, which work is ongoing.
Governance
Board of Directors
The audit committee of the Company’s board of directors, with the input of management, oversees the Company’s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The audit committee is informed of material risks from cybersecurity threats by the Company’s Chief Executive Officer, Chief Financial Officer and Vice President of Information Technology. Updates on cybersecurity matters, including material risks and threats, are provided to the Company’s audit committee, and the audit committee provides updates to the Company’s board of directors at regular board meetings. The Vice President of Information Technology also provides updates annually or more frequently as appropriate to the Company’s board of directors.
Management
Under the oversight of the audit committee of the Company’s board of directors, and as directed by the Company’s Chief Executive Officer, the Vice President of Information Technology is primarily responsible for the assessment and management of material cybersecurity risks and establishing and maintaining adequate and effective internal controls covering cybersecurity matters. The Vice President of Information Technology has more than 20 years of experience with information technology and related systems security matters and processes.
The audit committee of the Company’s board of directors, with the assistance of the Company’s Chief Financial Officer and Vice President of Information Technology, is responsible for overseeing the establishment and effectiveness of controls and other procedures, including controls and procedures related to the public disclosure of material cybersecurity matters.
During the year ended December 31, 2023, the Company experienced a cybersecurity incident that resulted in a $0.7 million term loan payment being initiated in error to an account provided in a fraudulent email the Company received. As
18
a result of this incident, with the assistance of an outside independent consultant, the Company reviewed and strengthened its procedures in and around the approval of wire transfers of funds, and believe that these enhanced procedures will protect the Company against the reoccurrence of such incidences in future periods.
As of the date of this report, other than the foregoing, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition and that are required to be reported in this report. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factors in Item 1A. Risk Factors in this report.