NATURAL HEALTH TRENDS CORP - (NHTC)

10-K Filing Date: February 28, 2024
Item 1C. CYBERSECURITY

 

Governance

 

Our Vice President of Strategic Initiatives and Chief Financial Officer oversee our cybersecurity risk management program described in “Risk Management and Strategy” below. While the Board of Directors has overall responsibility for risk oversight, it is supported in this regard by the Audit Committee, including with respect to cybersecurity matters. The Audit Committee assists the Board of Directors in monitoring cybersecurity risk by receiving as needed updates from and engaging in discussions with the Vice President of Strategic Initiatives and the Chief Financial Officer, that cover, among other things, our cybersecurity risk management program, response readiness and training efforts. The Audit Committee updates the full Board of Directors on cybersecurity matters as appropriate.

 

Risk Management and Strategy

 

Our business is dependent upon our computer systems, devices and networks to collect, process and store the data necessary to conduct almost all aspects of our business. We maintain a cybersecurity risk management program, which includes internal and external human resources, processes, controls and technology designed to identify, protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats.

 

To safeguard our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner at a network and user end point level. These include, but are not limited to, internal reporting, monitoring and detection tools. We engage various third-party vendors to provide these security services, including providing timely cybersecurity threat alerts in addition to monitoring cybersecurity threats and our defenses against cyberattacks. This monitoring includes the proactive identification of vulnerabilities in our systems with threat intelligence. In addition, we engage a third-party vendor to perform penetration testing at least annually and our IT team also performs simulations and response readiness tests on an annual basis. Our incident response plan sets forth our response protocol to coordinate the activities that we take to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal and reporting obligations and mitigate brand and reputational damage.

 

We have adopted an IT Policies and Procedures Policy that requires all employees to acknowledge on an annual basis their responsibilities in abiding with company policies regarding safeguard our network environment. In addition, all employees receive cybersecurity training upon hire with at least annual training on best practices, social engineering threats and cybersecurity risks.

 

We continuously monitor our computer systems, devices and networks, and work to improve our safeguards against regular and continually evolving cyber and other security threats. To date, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. However, notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident in the future that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For further information about the cybersecurity risks we face, see “Item 1A. Risk Factors – System disruptions or failures, cybersecurity risks, and compromises of data, or the failure to comply with related laws and regulations, could harm our business.”