BEYOND, INC. - (BYON)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy

Our company recognizes the critical importance of cybersecurity in our digital operations and has established a robust risk management program to address both internal and external cybersecurity threats. This program, guided by industry frameworks like NIST CSF and overseen by experienced leadership teams, integrates advanced security tools and practices into our broader enterprise risk management system, actively involving our Executive team and Board of Directors in its oversight. Despite our comprehensive efforts and critical resource allocation, we acknowledge the challenges posed by the evolving nature of cyber threats and the limitations in fully mitigating these risks. We have not observed any significant impacts from known cybersecurity threats or previous incidents on our operational, strategic, or financial aspects. Nevertheless, given the unpredictable nature of cyber threats, we cannot assure complete immunity against potential future impacts.

The likelihood of cybersecurity incidents is influenced by frequency risk factors. External factors include market trends in cybercrime, technological advancements in hacking methods, and geopolitical developments. Internal factors are shaped by our policies, the effectiveness of employee training, and robustness of system updates and maintenance procedures. External cybersecurity incidents events may include and are not limited to service disruptions due to email borne threat activities, ransomware, or denial of service attacks against us or our suppliers, while internal events may comprise of internal threats, subcontractors, or governance failures among other events.

Cybersecurity incident response plans are regularly updated to include structured processes encompassing identification, containment, eradication, recovery, and post-incident review. Continuous monitoring of systems and networks allows for the detection and response to potential cybersecurity threats. Response capabilities are regularly reviewed to align with the evolving cyber threat landscape and processes are fully integrated into our broader risk management system.

Criteria used to determine the materiality of an incident includes, but is not limited to, evaluating the scope, nature, type, systems, data, operational impact, and pervasiveness of the incident. This approach involves continuous oversight and improvement based on evolving cyber threats. Materiality also considers both quantitative and qualitative factors in determining impact.

Third-party engagement processes include risk evaluation across various domains such as cybersecurity, data privacy, supply chain, and regulatory compliance. We are committed to transparently disclosing material and unauthorized cybersecurity incidents involving third-party service providers, considering factors like operational technology system damages, information breaches, and interconnected attacks exploiting vulnerabilities.

Cybersecurity Governance

Our Board of Directors plays a pivotal role in overseeing the organization's preparedness for cyber threats. This involves a comprehensive understanding of our risk profile, ensuring appropriate cybersecurity controls are in place, regularly reviewing the effectiveness of these measures, and maintaining a robust incident response plan. The Board's involvement extends beyond compliance and budget approvals to active participation in continuous cybersecurity strategy improvement. The Board enhanced its cybersecurity expertise with the addition of Joanna Burkey in March 2023. Ms. Burkey has an extensive cybersecurity background and has served as CISO at both HP and Siemens.

The Audit Committee, designated as the responsible body for cybersecurity oversight, ensures regular information flow about cybersecurity risks to the Board of Directors. Our cybersecurity program is led by our Chief Information Security Officer (CISO), who has over 20 years of experience in the cybersecurity field. Their expertise is supported by industry certifications, regular participation in leading advanced training programs, and advisement roles. The CISO leads a dedicated team of security professionals who provide comprehensive coverage of critical program capabilities. We prioritize transparency by providing regular reports to the Audit Committee, senior management, and relevant stakeholders, keeping them informed on evolving cyber threats, ongoing assessments, and any significant findings. This collaborative approach ensures informed decision-making and timely response to potential risks, safeguarding our critical assets and valuable information.

24