Celsius Holdings, Inc. - (CELH)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
The Company has established a cybersecurity risk management program, designed to identify, assess, mitigate, and manage cybersecurity risks, incidents and threats that could potentially impact our business operations. Our internal cybersecurity committee (the "Cybersecurity Committee"), which includes our Chief Financial Officer and key representatives from the Finance, Information Technology ("IT"), and Legal departments, direct our cybersecurity efforts. The Cybersecurity Committee is primarily responsible for monitoring our cybersecurity risk management program, establishing and updating materiality thresholds for reporting cybersecurity incidents and determining whether specific incidents meet established disclosure criteria. The Cybersecurity Committee's role is focused on evaluating incidents against these thresholds to ensure that significant cyber risks are appropriately managed, addressed and if required, disclosed in line with our overarching cybersecurity strategy and policies. The Company has also established a Cybersecurity Incident Assessment and Reporting Policy (the "Cyber Incident Policy").
Our Vice President of IT is tasked with continuous monitoring of our systems and networks for potential cybersecurity threats. The IT department monitors for incidents that meet our established materiality thresholds, which encompass items such as cost, potential impact on operations, and reputational risks, and escalates incidents within our organization for further assessment and responsive action by the Cybersecurity Committee.
The Cyber Incident Policy sets forth a process to report cybersecurity incidents that is intended to enable a rapid organizational response to mitigate risks and also to ensure compliance with our public reporting obligations. This process includes incident identification, reporting channels to report any cybersecurity incidents, reporting procedures with respect to information to be included in any incident report, provision for confidentiality of information reported, the initiation of a response process to any reported incident, communication of a reported incident to the Cybersecurity Committee and other stakeholders, and ongoing training and awareness of employees.
20
In addition to our internal reviews we may from time to time engage external cybersecurity firms to assist with investigations and external cybersecurity experts to evaluate our processes, including conducting penetration tests, to report on our cybersecurity infrastructure and processes to our senior management and to the Enterprise Risk and Audit Committee (the "Audit Committee") of our Board. Our Cyber Incident Policy also establishes procedures for engaging law enforcement should the need arise and defines certain parameters with respect to drafting initial incident reports, technical assessment reports, and financial impact reports for review by the Cybersecurity Committee, management, the Audit Committee, and the full Board, as appropriate.
Our Cybersecurity Committee also reviews cybersecurity incidents affecting our third party service providers as necessary. Upon being notified of an incident having occurred at a third party, our Vice President of IT or a designated point of contact will promptly contact the third party to understand the details and scope of the event. An initial report outlining the nature of the incident, affected systems, and preliminary impact assessment will be provided to the Cybersecurity Committee which will convene to review the matter. Regular communication is to be maintained with the third party with updates provided to the Cybersecurity Committee to enable appropriate steps to be taken and timely public reporting if needed.
Cybersecurity Governance and Oversight
The governance of our cybersecurity risks involves active and informed participation from our management team, our Audit Committee, and our Board. The Audit Committee, which receives regular updates from the Cybersecurity Committee, maintains oversight of our cybersecurity strategies and risks and will consider such updates as part of the Company’s overall risk management program. This oversight includes briefings on the nature of the risks we face, the steps we are taking to mitigate these risks, and any significant cybersecurity incidents that have occurred. In addition, our Vice President of IT will provide reports and updates to the Audit Committee and to the full Board as the need arises. All Board members may attend the meetings of the Audit Committee during which cybersecurity is discussed and will be included in any tabletop exercises as they are planned.
We have not experienced a cybersecurity incident that had a material impact on our business strategy, results of operations, or financial condition. We continue to monitor potential cybersecurity threats and incorporate findings into our risk management strategies.