Cricut, Inc. - (CRCT)
10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. The structure of our information security program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and other industry standards. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct periodic risk assessments, including vulnerability scanning and penetration testing, to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include an inventory of assets, followed by identification of reasonably foreseeable internal and external vulnerabilities, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We monitor various cybersecurity resources to remain informed about new and emerging cybersecurity threats and attack vectors. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Executive Vice President of Platform Development, to manage the risk assessment and mitigation process.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on recognizing potential cybersecurity threats and implementing our safeguards. Personnel at all levels and departments are made aware of our cybersecurity policies through periodic trainings. We also conduct tabletop exercises for members of various functional areas on data recovery and incident response.
We engage security consultants and other third parties in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards and to conduct regular vulnerability assessments for our internal assets. We require each third-party service provider to give assurance that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. We review third-party service providers’ policies, data protection procedures, intellectual property protection measures and incident response measures. Our CISO oversees our relationships with these third-party service providers.
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors under the heading “Risks Related to Privacy, Data Protection and Cybersecurity,” which is incorporated herein by reference.
Governance
Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee.
Our CISO and our steering committee on information security, which includes members of our executive management as well as leaders of business functional areas, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our CISO has over 20 years of experience leading in the information security field at well-known publicly traded technology companies. He also received a CIO Executive Education Certificate from Stanford University.
Our CISO and our steering committee on information security oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our CISO
62
and our steering committee on information security are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the following: risk assessment and management, policy development and implementation, prevention strategies, detection mechanisms, incident response and mitigation, remediation and recovery, reporting and communication, compliance and legal considerations, efforts at continuous improvement, and training and awareness.
Our CISO and representatives from our steering committee on information security provide quarterly briefings to the audit committee regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Because many members of our board of directors regularly attend our audit committee meetings, the full board of directors regularly receives updates on cybersecurity.