VECTOR GROUP LTD - (VGR)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
We have a comprehensive approach to identifying and managing cybersecurity risks that involves our information technology security personnel, senior management, Audit Committee and Board of Directors. Our cybersecurity risk management function is integrated into our overall risk management system and processes.
Governance. The Board of Directors has formally tasked the Audit Committee with oversight responsibility to review cybersecurity and data privacy risks. The Audit Committee receives regular reports from management about cybersecurity matters. In addition to regular reporting, we have procedures by which potential cybersecurity incidents are reported in a timely manner to the Chief Technology Officer, who then notifies the Chief Operating Officer and General Counsel of cybersecurity incidents and they collectively determine if a specific incident warrants escalation to the Audit Committee and the Board of Directors. Our CTO, who has more than 25 years of information security and cybersecurity experience, manages cybersecurity at the corporate and real estate segments and oversees a team of dedicated cybersecurity personnel employed in our tobacco segment. Our governance procedures are generally designed to identify, assess, mitigate, prevent and, where required, respond to cybersecurity security incidents and threats in a timely manner to minimize the loss or compromise of information and assets and to facilitate incident resolution.
Cybersecurity incident identification and response. We use a number of processes and procedures to protect our data, systems and employees from cyber incidents, to reduce our overall cybersecurity risk profile, and to identify and respond to cybersecurity incidents in a timely manner. These processes and procedures leverage a variety of tools, including a security incident and event manager interface that uses behavioral analytics and provides live metrics and reports of attempted breaches and logs of firewalls, authentication attempts, emails, anti-malware, attempted intrusions and applications. We also conduct periodic tests to assess our processes and procedures and the threat landscape, which include, among other things, the engagement of third-party experts for external and internal penetration testing and system security assessments.
We have adopted an incident response plan that applies in the event of a cybersecurity incident involving a breach of our own information technology systems and applications. Pursuant to this response plan, in the event of an incident, a multi-disciplinary team is assembled that includes our CTO and General Counsel and, if appropriate, our COO and CFO, which in turn may leverage the expertise of third-party consultants, external legal counsel and other resources. The plan includes procedures designed to facilitate containment of, and responses to, a cybersecurity incident, which are based on the type of incident, the location of the incident and the breadth of the incident. The plan also establishes procedures for notifying any impacted parties, including our customers, law enforcement and regulatory authorities, third-party vendors and insurance
24

providers. Our CTO will provide periodic updates to the Audit Committee and, when appropriate, the Board of Directors during this process.
After an incident, we would review and document the causes and effects of the incident, evaluate the remediation plan, and consider post-incident improvements. Where applicable, the CTO reports these findings to the Audit Committee and, when appropriate, the Board of Directors.
Processes to identify material risks associated with the use of third-party service providers. In addition to internal resources, we utilize third-party service providers to supplement and maintain our information technology systems. We have procedures to oversee and identify cybersecurity risks associated with our use of these third-party service providers, including procedures that apply in the event of a cybersecurity incident at a third-party service provider that results in our systems or data or our customers’ data being compromised. These processes and procedures include, among others, a diligence review conducted by our information technology team of substantially all of our external business partners and a focused review of any such third parties’ cybersecurity audit attestations, such as Service Organization Controls, NIST 800 alignments, ISO certifications, PCI DSS compliance or other recognized external reviews. In the case of a cybersecurity incident affecting a third party, these procedures also govern interactions with personnel of the impacted third-party to determine the date, scope and effects of the cybersecurity incident, review the response and remediation measures taken by the third-party and conduct an inventory of potentially compromised data. Our notification process for a cybersecurity incident affecting a third party is the same as the notification process that applies to a cybersecurity incident that affects our own information technology systems and applications.
Cybersecurity risks and threats. We and certain of our third-party service providers have experienced, and may continue to experience, internal and external cybersecurity threats, which can result in impacts to critical data and confidential or proprietary information and the disruption of certain business operations. Nonetheless, we have not been subject to cybersecurity incidents that, individually or in aggregate, have been material to our operations or financial condition, and we cannot provide assurance that cybersecurity incidents will not have a material impact in the future. See Item 1A. “Risk Factors”.