USANA HEALTH SCIENCES INC - (USNA)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Overview.
We have implemented and maintain a cybersecurity risk management program, which consists of, among other things, comprehensive processes to identify, assess, manage, and mitigate material cybersecurity threats as part of our broader enterprise risk management program. We utilize an internal team of cybersecurity professionals and, to some extent, data privacy professionals to oversee this program. Where appropriate, we obtain input from external experts on our program, including with respect to prevailing cybersecurity practices and the latest cyber threat trends.
Cybersecurity Team.
Our internal team of cybersecurity and data privacy professionals oversee, among other things, our cybersecurity risk management and mitigation, incident prevention, detection, and remediation. The leadership of these teams is comprised of various professionals with cybersecurity expertise, including our Vice President of Information Security and Disaster Recovery, who reports to our Chief Operating Officer. Our Vice President of Information Security and Disaster Recovery has a bachelor’s degree in computer information systems, multiple university certifications in advanced cybersecurity, and over 30 years’ experience in cybersecurity and technology roles at various companies. Our executive leadership team, with input from the above teams, is responsible for our overall enterprise risk management system and associated processes, and regularly considers cybersecurity risks in the context of other material risks to the Company.
Risk Management Program Components, Training, and Incident Response.
As part of our cybersecurity risk management program, our incident response team tracks and logs cybersecurity and data privacy incidents across the Company to identify, assess, mitigate, remediate, and resolve any such incidents. Prior to forming a contractual relationship with a material vendor or third-party service provider that will have access to our information systems or data, we perform due diligence on their cybersecurity and data privacy posture. We conduct annual reviews and tests of our information security program and we periodically review and update our cybersecurity policies. We also periodically utilize qualified third parties to evaluate and assess our cybersecurity risk management program, including through conducting cybersecurity maturity assessments. We utilize cybersecurity user awareness trainings with our employees, cybersecurity insurance, business continuity mechanisms, tabletop exercises, penetration testing, and vulnerability scanning to evaluate the effectiveness of our information security program and improve our security measures and planning. The material results of these assessments are reported to our executive leadership team and the Governance, Risk and Nominating Committee of the Company’s Board of Directors (the “Board”).
We have adopted a cybersecurity and data privacy incident response plan that provides a framework for identifying, classifying, documenting, and responding to cybersecurity and data privacy incidents and determining whether reporting of an incident is appropriate or required under regulatory standards. The plan also includes a materiality assessment framework to assist us in determining whether a security incident is “material” under the federal securities laws. A cross-functional working group reviews significant cybersecurity incidents under this framework to assess the incident and, among other things, determine whether further assessment and escalation of the incident within USANA is appropriate. Any incident assessed as being or potentially becoming material is immediately escalated to designated members of our executive leadership team. We consult with outside cybersecurity and data privacy consultants and legal counsel as appropriate, including on cyber incident significance and/or materiality analysis and disclosure matters, and designated members of our management team make the final materiality determinations and disclosure and other compliance decisions. Our management apprises the Governance Risk and Nominating Committee and, where necessary, our independent registered public accounting firm, of cybersecurity matters and relevant developments, as appropriate.
Governance.
Our Board is actively involved in the assessment, oversight and management of the material risks that could affect the Company. The Board carries out its risk oversight and management responsibilities by monitoring risk directly as a full Board and, where appropriate, through its committees. The Board has delegated to the Governance, Risk and Nominating Committee the ultimate oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Our cybersecurity and data privacy professionals regularly discuss cyber risks and trends and, should they arise, any material incidents with management and the Governance, Risk and Nominating Committee.
Material Risks from Cybersecurity Threats.
39
As a global company with operations and customers in 25 markets, we encounter a variety of cybersecurity threats. However, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats. Nevertheless, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see “Item 1A. Risk Factors.” of this Annual Report on Form 10-K.