NU SKIN ENTERPRISES, INC. - (NUS)

10-K Filing Date: February 15, 2024
ITEM 1C.
CYBERSECURITY

Our company is exposed to a variety of evolving cybersecurity risks. We invest in our cybersecurity program to proactively manage and mitigate these risks. On an annual basis, we utilize our Enterprise Risk Management (“ERM”) program to estimate our annual loss potential based on our defined control framework and its overall effectiveness. In conjunction with our ERM program, the cybersecurity program references the CIS Critical Security Controls and the NIST Cybersecurity Framework (CSF) to guide our organization’s risk identification and mitigation procedures. In addition, we undergo an annual third-party external penetration test, as well as third-party attack-surface monitoring to understand our potential vulnerabilities, threat vectors, and additional impacts to critical assets and operations. In addition, our cybersecurity team performs procedures to identify risks that inform our annual security roadmap.

We engage third-party cybersecurity experts to provide independent assessments of our cybersecurity readiness and control effectiveness. Our goal in collaborating with external cybersecurity firms is to gain insights and knowledge into emerging threats and vulnerabilities, industry trends and best practices to inform our risk remediation efforts. Additionally, we engage with our externally retained incident response team and select internal teams to perform tabletop exercises that inform our cybersecurity response capabilities and resilience.

We also enact a process to perform a risk assessment of new third-parties, inclusive of new third-party contracts, which provides an additional layer of oversight in identifying material risks associated with the use of particular external service providers.

At this time, we have not identified risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected our business strategy, results of operations or financial condition, but we cannot provide assurance that such risks or future material incidents will not materially affect us in the future. For more information regarding the risks we face from cybersecurity threats, please see Item 1A. Risk Factors.

Our management plays a pivotal role in assessing and managing material risks from cybersecurity threats. Our management has implemented a broad and continuous process for cyber event monitoring, analysis of emerging threats, and the development and implementation of risk mitigation strategies. Led by our Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”), we implement cybersecurity policies, procedures and strategies, including employee training programs, security assessments and attack detection alerts designed to address the constantly evolving threat landscape. Our CTO has over 20 years of technology experience, including roles at Amazon Web Services, Dell EMC, and Ball Aerospace. Our CISO has over 30 years of cybersecurity and IT leadership experience.

At the Board of Directors level, our Audit Committee oversees our risks related to information security and privacy. To accomplish this responsibility, the Audit Committee meets quarterly with our CTO and CISO to receive and discuss updates on our cybersecurity program. Top risks, key initiatives, material cyber incidents, remediation activity and security metrics are shared to report the overall loss potential, program effectiveness, risk management conditions and current threat landscape. Our Board of Directors is committed to maintaining a well-informed and security-aware business by regularly engaging through updates on the organization’s roadmap and evolving threat landscape.

© 2024 Material-Incidents. All rights reserved.