Trulieve Cannabis Corp. - (TCNNF)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Trulieve recognizes the critical importance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of data we produce and collect.
Managing Material Risks & Overall Risk Management
We have a cross-departmental approach to addressing cybersecurity risk, including input from our employees, senior management, and Audit Committee of our Board of Directors (the “Board”). The Company devotes significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats promptly and effectively.
We have a set of Company-wide cybersecurity policies and procedures and continue building these important document libraries. Management approves initial policies and reviews them periodically for updates and changes. Our cybersecurity program follows the internationally recognized risk framework, ISO 27001. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a multi-faceted cybersecurity strategy based on prevention, detection, and mitigation. The Company continues to work to ensure the inclusion of our cybersecurity risks are fully incorporated into the Company’s overall risk management approach.
Third-party Risk Management and oversight
As part of our cybersecurity program, we also engage with external service providers as part of our continuing cybersecurity efforts, assisting us in the evaluation and enhancement of the effectiveness of our information security policies and procedures. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity policies and procedures are comprehensive, up-to-date, and aligned with regulatory requirements.
The use of these third-party providers is regularly reviewed and monitored by the appropriate members of management. We conduct thorough assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards.
Risks from Cybersecurity Threats
We have not encountered cybersecurity challenges that have materially impacted our strategic plan, operations, or financial standing. For additional information, see “Item 1A. Risk Factors - We are subject to security risks related to our products as well as our information and technology systems".
Governance
Trulieve’s cybersecurity program is managed by our Chief Technology Officer ("CTO") and our Senior Director of Information Security, whose team ("Cybersecurity Team") is responsible for facilitating the enterprise-wide cybersecurity program. Our CTO has over 20 years of experience with large information technology footprints, including cybersecurity. His in-depth knowledge and expertise are instrumental in supporting our cybersecurity program and policies and overseeing our governance and compliance programs. The Information Security Governance Committee ("IT Committee") and Audit Committee of our Board of Directors oversee management’s process for identifying and mitigating risks, including cybersecurity risks. The Audit Committee is composed of board members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
Management’s role in assessing and managing material risks from cybersecurity threats involves leadership, governance, resource allocation, and proactive risk management. Management's involvement is crucial in safeguarding the Company's digital assets, reputation, and long-term success. Our Cybersecurity Team provides periodic reports to our IT Committee and Audit Committee, as well as our Chief Executive Officer, and other members of senior management as appropriate.
The IT Committee and Audit Committee actively participate in discussions with management regarding cybersecurity risks. The IT Committee and Audit Committee perform an annual assessment of the Company’s cybersecurity program, which includes a discussion of management’s actions to identify and detect threats, and scenarios for potential response or recovery situations. In addition to regularly scheduled meetings, the IT and Audit Committee and appropriate levels of senior management maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive.
31