Green Thumb Industries Inc. - (GTBIF)
10-K Filing Date: February 29, 2024
Cybersecurity Risk Management
The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company’s overall risk management systems. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company, from time-to-time, may engage third-party consultants, legal advisors, and audit firms to evaluate and test the Company’s risk management systems and assess and remediate certain potential cybersecurity incidents, as appropriate.
Governance
As part of our enterprise risk management program, the Board of Directors (the “Board”) and Audit Committee meet with our senior management team, which includes our Chief Executive Officer, President, Chief Financial Officer, and General Counsel to address risks associated with cybersecurity threats on a regular basis. The Board and the Audit Committee receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been resolved.
Cybersecurity threats are one of the Company’s most critical risks, with our Senior Vice President -Technology assigned as the executive risk owner. Our Senior Vice President - Technology, in coordination with our senior management team, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. Multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the Senior Vice President - Technology and the senior management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Board and Audit Committee, when appropriate.
Our Senior Vice President - Technology has served in various roles in information technology and information security for over 25 years. He holds undergraduate and graduate degrees in computer science and business.
During the year ended December 31, 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks.
See “Item 1 A. Risk Factors” for more information on the Company’s cybersecurity-related risks.
44