Leafly Holdings, Inc. /DE - (LFLY)
10-K Filing Date: April 01, 2024
Our Cybersecurity Approach and Strategy
Our cybersecurity approach includes consideration of information security controls in aspects of the business where unauthorized occurrences could adversely affect the confidentiality, integrity, or availability of our information systems as part of our overall risk management strategy, looking to the National Institute of Standards and Technology’s Cybersecurity Framework (“NIST CSF”) as a guide in how we identify, assess, and mitigate material cybersecurity risks. Cyber risk management encompasses partnerships among teams that are responsible for cybersecurity governance, prevention, detection, and remediation activities within our Company’s cybersecurity environment.
We have engaged external cybersecurity professionals to help design and manage our security program. These experts conduct annual penetration testing and incident response tabletop exercises, make recommendations on how to continuously improve our cybersecurity program, and assist us in implementing their recommendations into our existing processes.
Accordingly, we have implemented processes for overseeing, detecting and identifying material risks from cybersecurity vulnerabilities and threats, and technical, process, and people related security controls designed to mitigate material cybersecurity risks. We also maintain an Incident Response Plan, which defines the procedures for evaluating, and reporting cybersecurity incidents to executive leadership. The Incident Response Plan also creates a framework and delegates tasks to appropriate personnel for responding to a cybersecurity incident based on the severity of an incident. These processes are integrated into our overall risk management strategy.
Our ongoing cyber risk management efforts include penetration testing to assess and manage cybersecurity risks and monthly reviews of our risk register, which are updated on an ongoing basis. From time-to-time, we also provide enterprise-wide cybersecurity training for employees to continuously improve our mitigation against human-driven vulnerabilities.
We have experienced security incidents in the past, which we believe were immaterial and were not reportable under applicable state law or our other obligations; however, there can be no assurance that our determinations were correct. We do not believe there are material risks from cybersecurity threats, including as a result of previous incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.
Oversight of Third-Party Service Providers
We manage cybersecurity risks through our use of third-party service providers by integrating our mitigation strategies throughout various functional areas within the Company, including but not limited to the Company’s business segments and information technology, engineering, infrastructure, and legal departments. These strategies include, as applicable, conducting technical assessments at the outset of any third-party service provider engagement, limiting the disclosure or transfer of information to an as-needed basis by way of technical infrastructure, and contractually requiring third parties to maintain security controls and protect our information and maintain established notification protocols in the event of any known material data breach using industry best practices.
Responsibilities of Management and Board
Management
Our Senior Vice President of Product, who has extensive cybersecurity knowledge from over 20 years of experience in leadership roles at technology companies ranging in maturity from various startups to Sony, a large billion dollar corporation, leads the team responsible for overseeing, managing, and assessing our material cybersecurity risks, and works in close
61
coordination with other members of leadership, infrastructure, and information technology, and our external professional providers to maintain cybersecurity risk management and data protection.
Board
Our Board oversees the risk management activities designed and implemented by our management. Our Board executes its oversight responsibility both directly and through its committees, and has delegated the responsibility of providing oversight of cybersecurity risks to its Audit Committee, including oversight over the steps management takes to monitor and control such exposures. Our Senior Vice President of Product and external cybersecurity professionals are responsible for overseeing, managing and assessing material cybersecurity risks, and periodically report to the Audit Committee on the ongoing development, status and health of our cybersecurity program and material cybersecurity risks or incidents, if any.
62