Turning Point Brands, Inc. - (TPB)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We rely on our technology infrastructure and information systems for our internal communications, controls, reporting and relations with customers and suppliers, to utilize our data, and to bill, collect, and make payments. Our technology infrastructure and information systems also support and form the foundation for our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed system and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors with significant means. We expect that sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies.
We have implemented robust processes to assess, identify, and manage cybersecurity risks, including potentially material risks, related to our internal information systems and our products. In response to the increasing threats presented by cyber incidents, in 2023 we established a Cybersecurity Steering Committee, which meets bimonthly. This committee is comprised of our Chief Information Officer, Head of IT and Security Leader, along with our Deputy General Counsel who reports to our General Counsel. The Cybersecurity Steering Committee oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks. The Cybersecurity Steering Committee develops and implements cybersecurity risk mitigation strategies and activities, including the management of comprehensive incident response plans, oversees the cybersecurity risks posed by third-party vendors, ensures policies and procedures are current and followed, and receives regular updates on cybersecurity-related matters.
Our Board of Directors oversees our enterprise risk management process and our Audit Committee of the Board has direct oversight of our management of cybersecurity risks. Under the direction and supervision of our Chief Financial Officer, we conduct an annual comprehensive enterprise risk assessment, which includes details of our management of enterprise-wide risk topics, such as those related to cybersecurity risks. The Board of Directors receives the full results of the annual enterprise risk assessment, including an evaluation of cybersecurity risks presented, a detailed description of the actions we have taken to mitigate these risks. Our Cybersecurity Steering Committee reviews the results of any enterprise risk assessment with management on a bimonthly basis and with the Board of Directors quarterly or when risks are identified. Management provides a comprehensive update to the Audit Committee of the Board on cybersecurity threats and risk mitigation at least annually, and more frequently as relevant.
Our Chief Information Officer, reporting to our Chief Financial Officer, has principal responsibility for assessing and managing cybersecurity risks and threats, implementing the activities and systems necessary to address such risks and threats and preparing updates for the Board of Directors. Our Chief Information Security Officer reports to our Security Leader and has over 25 years of IT, cybersecurity, data security and regulatory compliance experience. Our Security Leader reports to our Chief Information Officer, and is responsible for the operation of our cybersecurity program and management of our cybersecurity team. Our Security Leader has 20 years of IT experience.
We have adopted the National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security Critical Security Controls to continually evaluate and enhance our cybersecurity. Activities include mandatory quarterly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises, throughout our organization. These cybersecurity drills are performed both in-house and by a third-party service provider. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats. Our Cybersecurity Steering Committee also has effected comprehensive incident response plans that outline the appropriate communication flow and response for certain categories of potential cybersecurity incidents. The Cybersecurity Steering Committee escalates events, including to the Chief Financial Officer and Board of Directors, as relevant, according to pre-defined criteria.
If we were to experience a cybersecurity incident, our Security Leader would inform the Cybersecurity Steering Committee, which would then evaluate and assess the materiality of the incident to the Company and the impact of the incident on the Company’s information technology infrastructure and data integrity, and determine whether the incident should be reported to the Audit Committee of the Board in advance of the next regular cybersecurity update. The Cybersecurity Steering Committee, with the assistance and input of the Audit Committee of the Board, has established a set of predefined criteria that it uses to make such determinations. Once a cybersecurity incident has been reported to the Audit Committee of the Board, the Audit Committee of the Board, with the input of the Cybersecurity Steering Committee, will determine how to address it.
We engage subject matter experts such as consultants and auditors to assist us in establishing processes to assess, identify, and manage potential and actual cybersecurity threats, to actively monitor our systems internally using widely accepted digital applications, processes, and controls, and to provide forensic assistance to facilitate system recovery in the case of an incident. The Cybersecurity Steering Committee oversees and establishes the parameters of our engagement with these experts to ensure we obtain supplement assistance needed in this area, if any.
If we were to experience a cybersecurity incident, we may suffer interruptions in service, loss of assets or data, or reduced functionality. Security breaches of our systems which allow inappropriate access to or inadvertent transfer of information and misappropriation or unauthorized disclosure of confidential information, belonging to us or to our employees, providers, suppliers, customers or insurance companies could result in our suffering significant financial and reputational damage. Though we take steps to ensure our products and software are secure, a cyber-attack could result in the loss or compromise of our or our employees’, suppliers’ and customers’ critical data. If a supplier or customer alleges that a cyber-attack causes or contributes to a loss or compromise of critical data, whether or not caused by us, we could face harm to our reputation and financial condition and incur regulatory repercussions. See Item 1A “Risk Factors – Security and privacy breaches may expose us to liability and cause us to lose customers”. A cybersecurity incident could materially harm our reputation and financial condition and cause us to incur legal liability and increased costs when responding to such events.