Better Choice Co Inc. - (BTTR)
10-K Filing Date: April 12, 2024
Cybersecurity risk management is an important part of the Company’s overall risk management efforts. We maintain a comprehensive enterprise-wide information security program that comprises policies and controls designed to identify, safeguard against, detect, respond to, mitigate and manage reasonably foreseeable cybersecurity risks and threats. Our approach utilizes diverse security tools to prevent, identify, investigate, resolve and recover from vulnerabilities and security incidents. These include, but are not limited to, internal reporting, monitoring and detection tools. We use a collaborative, enterprise-wide strategy to address cybersecurity risks and allocate significant resources to our cybersecurity and risk management processes, which efforts are intended to adapt to the evolving cybersecurity landscape and promptly address emerging threats. Our cybersecurity risk management program aligns with the National Institute of Standards and Technology (NIST) framework and is organized into five key functions: identification, protection, detection, response and recovery. We regularly assess the threat landscape and employ a layered cybersecurity strategy to prevent, detect and mitigate threats.
All employees undergo security awareness training, with regular testing through simulated phishing emails. Certain employee positions require additional role-based, specialized security awareness or other cybersecurity training, as applicable. Simulations, drills and assessments are conducted to test our defenses from both a technical and an operational perspective.
We assess risks associated with third-party providers as part of our overall cybersecurity risk management framework by reviewing system and organization controls reports, when available, and other independent reports. We also generally require third parties to, among other things, maintain security controls to protect our confidential information and to promptly notify us of material breaches that may impact our data.
Our Board of Directors has oversight of our enterprise risk assessment and risk management processes, as well as the steps taken to mitigate these risks, including for cybersecurity matters. The Audit Committee of our Board of Directors has oversight of cybersecurity risk assessment and risk management policies as part of its risk management oversight responsibilities, and is responsible for ensuring that the Company has processes in place to identify, evaluate and manage cybersecurity risks, as well as appropriate processes and programs to mitigate cybersecurity incidents if they occur. Significant cybersecurity matters, including those related to incidents, are escalated to the Board of Directors.
We face cybersecurity threats in the ordinary course of our business and have faced cybersecurity threats and breach attempts in the past. Such threats and breach attempts have not materially affected our business, strategy, results of operations or financial condition. At any given time, however, we may face known or unknown cybersecurity risks and threats that cannot be fully prevented or mitigated, and we may discover vulnerabilities in our cybersecurity programs. Therefore, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For more information on the cybersecurity risks we face, please refer to “A failure of one or more key information technology systems, networks or processes may materially adversely affect our ability to conduct our business.” in Item 1A. “Risk Factors.”