Jushi Holdings Inc. - (JUSHF)
10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our Cybersecurity program is informed by industry standard cybersecurity frameworks. We benchmark against these frameworks and our internal risk assessment process to inform how we identify, protect, detect, respond to, and recover from risks, threats, vulnerabilities, and cybersecurity incidents.
Our cybersecurity risk management program is part of and integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Members of our cybersecurity team collaborate with employees and management across our organization on an ongoing basis to assess and refine our cybersecurity processes, and we conduct cybersecurity awareness training of our employees, incident response personnel, and senior management. Our cybersecurity risk management program includes a Data Exposure Management Plan, which includes procedures for responding to cybersecurity incidents, and a Risk Management Policy.
We also utilize external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls. We have in place a third-party risk management process for third-party IT service providers, suppliers, and vendors.
Notwithstanding the foregoing, there can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information.
As of December 31, 2023, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information about our cybersecurity related risks (including as a result of any prior cybersecurity incidents), see Part 1, Item 1A, Risk Factors under the risk titled " We have in the past and may in the future experience threats and breaches to our data and information technology systems, including malicious software codes, viruses, phishing, ransomware and other cyber-attacks, that disrupt our information systems or operations, or result in the dissemination of sensitive personal or confidential information or unauthorized financial access, theft or crimes, which could result in increased costs, economic losses, exposure to significant liability, reputational harm, loss of business, and other serious negative consequences.”
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity and other information technology risks. The Committee receives periodic reports from management on the Company’s cybersecurity management program as well as our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
Our management team, including our Chief Financial Officer, Chief Legal Officer, VP of Internal Audit, VP of Information Technology and Director of Cybersecurity, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and
55
supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team’s experience includes technical and managerial expertise, enabling them to proficiently design, engineer, and oversee the organization’s overall security stance. Their capabilities encompass a wide range of skills, including experience in Security and Risk Management, Vulnerability Management, as well as backgrounds in Network Security and Operations, and Security Architecture.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.