Where Food Comes From, Inc. - (WFCF)
10-K Filing Date: February 15, 2024
We have a cross-departmental approach to addressing cybersecurity risk, including input from employees and our Board of Directors (the “Board”). The Board, Audit Committee, executive and middle management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection, and mitigation. Assessing, identifying and managing cybersecurity related risks are integrated into our overall risk management process. We have policies and/or procedures concerning cybersecurity matters related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.
The Company’s Chief Technology Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Chairman of the Board. Our Chief Technology Officer has over two decades of experience leading cyber security oversight, while others on our IT security team have cybersecurity experience and/or a college degree with concentrations in security. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to attend company-wide training which includes cybersecurity topics several times a year.
18 |
We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. We utilize independent expert organizations that employ cybersecurity dashboards that automate the aggregation and analysis of data points to help us address possible exposures and internal control weaknesses, as well as review recommended areas of action to improve the quality and maturity of our controls. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. We also conduct an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
The full Board participates in discussions with management and amongst themselves regarding cybersecurity risks. Management provides updates regarding our cybersecurity program, which includes discussion of management’s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. Management also updates the Board on the Company’s Cyber Attack Recovery Plan, which covers, among other things, our approach to material cybersecurity incidents, data privacy and our compliance programs. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically attends presentations on these topics.
We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “A significant data breach or information technology system disruption could adversely affect our business, financial results, or reputation, and we may be required to increase our spending on data and system security” in Item 1A- Risk Factors.
19 |