Vita Coco Company, Inc. - (COCO)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We face significant and persistent cybersecurity risks due to the global nature of our business, the use of information technology systems, infrastructure and data in our business operations and our reliance on third-party vendors, suppliers, customers and business partners. We defend our systems against cybersecurity attacks on a daily basis and rely heavily on the reliability, security and efficiency of our information technology systems and ongoing employee training to face these threats. In addition, to protect our business, we have implemented a cybersecurity risk management program with a robust governance structure and strong mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks.

We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party service providers, as described further below, to identify, assess, and manage cybersecurity threats and risks. These processes include, among other things, annual security awareness training for employees, programs to increase awareness of phishing attempts, tools to detect and monitor unusual network activity, and processes to contain, escalate and respond to incidents. In addition, we have an enterprise Information Security Policy describing our cybersecurity program and governance structure and the processes and procedures in place to identify, mitigate and remediate cybersecurity threats and risks.

To further protect our business, we partner with a third party vendor to provide cybersecurity and risk management as a managed service offering. They provide cybersecurity risk assessment and threat intelligence to the Company, in addition to acting as a managed service provider for our information technology program. We decided to retain a third party for these services given the small size of our Company and internal information technology staff and the quality, comprehensiveness, and cost-effectiveness of the services offered. An internal team, led by our Chief Operating Officer, oversees and works collaboratively with this third party vendor to evaluate the strength of our cybersecurity protocols and the results of testing to determine what additional actions, such as trainings or remedial actions, are necessary to lessen cybersecurity risks. We intend to continue to make investments to monitor and maintain the security of our data and cybersecurity infrastructure.

Third Party Risk Management

We also monitor and manage cybersecurity risks associated with our third-party service providers, including our managed security service provider, suppliers, customers and vendors, through, among other things, the processes set forth in our policies and procedures, due diligence processes, regular oversight, monitoring and auditing of our relationships by internal staff, supplier codes of conduct and escalation practices for reporting issues. We require our third-party providers to meet appropriate security requirements and controls prior to providing access to our internal systems, and investigate and report any security incidents, as appropriate.

Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are
36

Table of Contents
reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information, see "Risk Factors—Risks Related to Our Information Technology and Intellectual Property" in Part I, Item IA of this Annual Report on Form 10-K.
Cybersecurity Governance
Risk assessment and oversight are an integral part of our governance and management processes. Our Board of Directors (the "Board") has ultimate oversight of the Company's risk management. In accordance with its charter, the Audit Committee of the Board is responsible for overseeing our enterprise risk management program on behalf of the Board, including material risks related to cybersecurity threats, and reporting on these matters to the Board. The Audit Committee receives regular updates from management, including the information technology and legal teams, on cybersecurity risk resulting from risk assessments and reviews any information on relevant internal and industry cybersecurity incidents and is notified between such updates relative to any incidents which could materially affect the Company. Based on this information, our Audit Committee monitors the Company's cybersecurity program, including potential threats, weaknesses and vulnerabilities, and reviews the policies and procedures in place to prevent, detect and respond to cybersecurity threats and unauthorized access to our information security systems. Significant findings related to cybersecurity, data and technology risks or incidents are regularly reported to and discussed at the Board level. Three members of our Board, included two of our Audit Committee members, are currently pursuing or have received certifications in cyber-risk oversight through the National Association of Corporate Directors.

Management, in coordination with our information technology department, is responsible for assessing the risk of cybersecurity threats and hiring appropriate personnel and third-party consultants to oversee the cybersecurity program. Specifically, these processes are overseen by our multidisciplinary Technology Risk and Information Security Committee, which consists of leaders from our Information Technology, Operations, Internal Audit and Legal teams. Such individuals have an average of over 15 years of prior work experience in various roles across multiple industries involving information technology, risk management, operations and legal matters.