Zevia PBC - (ZVIA)
10-K Filing Date: March 06, 2024
We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for assessing, identifying, and managing material risks from cybersecurity threats. This process is supported by both management and our Board of Directors.
To prevent, detect, mitigate, and remediate information security threats, including a cybersecurity incident and/or threat, we maintain a cyber risk management process managed by our Senior Vice President, Operations (“SVP, Operations”) who reports to our CEO. The SVP, Operations works with the Vice President, Deputy General Counsel (“Legal”) on cybersecurity strategy, policy, training, standards, architecture, and processes. We have invested, and expect to continue to invest, in resources for the protection and safeguarding of our information technology systems, including, but not limited to, networks, applications, and outsourced technology services in connection with the operation of our business. These resources are designed to detect and respond to cyber incidents that may result in unauthorized access to, ransomware, damages, or destruction of, our information and systems.
30
Risk Management and Strategy
Cybersecurity risk is a direct responsibility of management and the Company’s information technology (“IT”) team. Working cross-functionally with Legal, our SVP, Operations oversees the IT team that regularly monitors and assesses cybersecurity risks, implements measures designed to mitigate such risks and their associated effects on the Company and personal data collected, stored, and processed in our systems, and manages our information security training and cybersecurity awareness program. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework.
Our approach to cybersecurity risk management includes the following:
Governance
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The Nominating and Enterprise Risk Management (“NERM”) Committee of the Board of Directors specifically assists the Board in its oversight of risks related to cybersecurity. In accordance with its charter, the NERM Committee receives regular reports at each of its quarterly meetings from management, including the SVP, Operations. Such reporting includes updates on the Company’s cybersecurity program, information security matters, the evolving cybersecurity threat environment, applicable privacy law compliance, and the Company’s mitigation plans and evolving mitigation strategy. The Chair of the NERM Committee regularly reports to the Board of Directors on cybersecurity risks and other related matters. In addition, both the NERM Committee and the Audit Committee, in a joint meeting, receive an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually. Management reports to the NERM Committee and/or the Board of Directors in between meetings as appropriate regarding any significant cyber events.
To date we have not identified any cybersecurity threat or incident that has materially affected the Company or our financial position, results of operations and/or cash flows, but we face certain ongoing cybersecurity risk threats that, if realized, are reasonably likely to materially affect us. We continue to invest in the cybersecurity and resiliency of our networks and enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Part I, Item 1A. “Risk Factors” included in this Annual Report.