ChromaDex Corp. - (CDXC)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We are a global bioscience company dedicated to healthy aging. In the ordinary course of our business, we may collect, process, store and transmit proprietary, confidential and sensitive information, including personal information (including health information), intellectual property, trade secrets, and proprietary business information owned or controlled by ourselves or other parties. We use our data centers and our networks, and those of third parties, to store and access our proprietary business and other sensitive information. We rely upon third parties service providers and technologies to operate critical business systems to process confidential and personal information in a variety of contexts, including, without limitation, third-party providers of cloud-based infrastructure, employee email, and other functions. We have established cybersecurity risk management policies and procedures aimed at safeguarding the confidentiality, integrity, and availability of our critical systems and information, including those involving third-party service providers. Further, we are actively working to enhance our policies and procedures into a more comprehensive cybersecurity risk management program, our current measures are designed to address cybersecurity risks effectively. Our cybersecurity risk management policies and procedures include the ChromaDex Incident Management Plan.

We design and assess our policies and procedures based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF framework). This does not imply that we follow or meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. For example, we periodically perform independent third-party security audits and assess potential risks.

Our cybersecurity risk management policies and procedures are integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.


34

Table of Contents
Our cybersecurity risk management policies and procedures include:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team, led by our Vice President of IT (VP of IT), principally responsible for managing our (1) cybersecurity risk assessment processes, (2) security controls, and (3) responses to cybersecurity incidents;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls and designed to anticipate cyber-attacks and prevent breaches;
cybersecurity awareness training of our employees, incident response personnel, and senior management;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
a third-party risk management process for service providers, suppliers, and vendors.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function. In connection with the Audit Committee’s oversight of the Company’s risk management, the Audit Committee reviews with management, at least annually, the Company’s cybersecurity risk exposure and the steps management has taken to monitor or mitigate such exposure, including reviewing risk assessments from management with respect to our information technology systems and procedures, and overseeing our cybersecurity risk management processes. In addition, management will update the Audit Committee and the full Board, as necessary, regarding cybersecurity incidents, that we may experience.

Our management team, including our VP of IT, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management policies and procedures and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team’s cybersecurity risk management is led by our VP of IT, who has experience across technology-enabled growth, information security, infrastructure, operations and compliance.

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.