Zevia PBC - (ZVIA)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity

We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for assessing, identifying, and managing material risks from cybersecurity threats. This process is supported by both management and our Board of Directors.

To prevent, detect, mitigate, and remediate information security threats, including a cybersecurity incident and/or threat, we maintain a cyber risk management process managed by our Senior Vice President, Operations (“SVP, Operations”) who reports to our CEO. The SVP, Operations works with the Vice President, Deputy General Counsel (“Legal”) on cybersecurity strategy, policy, training, standards, architecture, and processes. We have invested, and expect to continue to invest, in resources for the protection and safeguarding of our information technology systems, including, but not limited to, networks, applications, and outsourced technology services in connection with the operation of our business. These resources are designed to detect and respond to cyber incidents that may result in unauthorized access to, ransomware, damages, or destruction of, our information and systems.

30


 

Risk Management and Strategy

Cybersecurity risk is a direct responsibility of management and the Company’s information technology (“IT”) team. Working cross-functionally with Legal, our SVP, Operations oversees the IT team that regularly monitors and assesses cybersecurity risks, implements measures designed to mitigate such risks and their associated effects on the Company and personal data collected, stored, and processed in our systems, and manages our information security training and cybersecurity awareness program. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework.

Our approach to cybersecurity risk management includes the following:

Multi-Layered Defense and Monitoring – We work to protect our computing environments from cybersecurity threats through multi-layered defenses and monitoring efforts to identify cybersecurity threats, and to help prevent future attacks. We utilize data analytics systems to detect anomalies and identify cyber threats. From time to time, we engage third-party consultants or other advisors to assist in assessing, identifying, and/or managing cybersecurity threats. We also periodically use our internal audit partner to conduct additional reviews and assessments.
Insider Threats – We maintain organizational controls such as limited access, and access removal for terminated employees, designed to minimize insider threats, and address potential risks from within our Company. Our measures and controls are informed by industry practices, and designed to be consistent with applicable law, including privacy and other considerations.
Third Party Risk Assessments – We conduct privacy and information security risk assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties.
Training and Awareness – We provide awareness training to our employees to help identify, avoid and mitigate cybersecurity threats. Our employees with network access are required to participate annually in training, including phishing simulations and other awareness training. We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response.
Supplier Engagement – Our standard terms and conditions contain contractual provisions requiring that our third-party suppliers disclose to us the technical and organizational measures they maintain, the standards and certifications by which they are evaluated for information and cyber security, and their cybersecurity insurance protection level. We seek to mitigate risk by evaluating the foregoing against any potential cyber-related risks depending on the nature of the services being provided.

Governance

Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The Nominating and Enterprise Risk Management (“NERM”) Committee of the Board of Directors specifically assists the Board in its oversight of risks related to cybersecurity. In accordance with its charter, the NERM Committee receives regular reports at each of its quarterly meetings from management, including the SVP, Operations. Such reporting includes updates on the Company’s cybersecurity program, information security matters, the evolving cybersecurity threat environment, applicable privacy law compliance, and the Company’s mitigation plans and evolving mitigation strategy. The Chair of the NERM Committee regularly reports to the Board of Directors on cybersecurity risks and other related matters. In addition, both the NERM Committee and the Audit Committee, in a joint meeting, receive an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually. Management reports to the NERM Committee and/or the Board of Directors in between meetings as appropriate regarding any significant cyber events.

To date we have not identified any cybersecurity threat or incident that has materially affected the Company or our financial position, results of operations and/or cash flows, but we face certain ongoing cybersecurity risk threats that, if realized, are reasonably likely to materially affect us. We continue to invest in the cybersecurity and resiliency of our networks and enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Part I, Item 1A. “Risk Factors” included in this Annual Report.