PLBY Group, Inc. - (PLBY)
10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We understand our responsibility to assess, identify, and manage material risks associated with cybersecurity threats and incidents, as such terms are defined in Item 106(a) of Regulation S-K. Such risks include, among other things: operational disruptions, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy and/or security laws.
Identifying, assessing and managing cybersecurity risk is part of our overall risk management strategy. Cybersecurity risks related to our business, technical operations, privacy and compliance requirements are identified and addressed through third party security software, information technology (IT) security protocols, governance oversight, and risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct routine privacy and cybersecurity reviews of systems and applications, conduct employee training, monitor emerging laws and regulations related to data protection and information security (including with respect to our digital products) and implement changes as necessary.
Our cybersecurity program is primarily overseen by our Interim Chief Information Officer and Senior Director of IT Infrastructure. They work closely with their information technology team and our senior management to develop and advance our cybersecurity strategy, as well as to respond to cybersecurity incidents. Our cybersecurity leaders report to our Chief Operating Officer and General Counsel on cybersecurity matters and collaborate with technical and business stakeholders across our business units to assess risks and implement strategies.
36
With the assistance of third-party software, including appropriate firmware, we manage cybersecurity risk through establishing defenses against incidents, detecting and reporting cybersecurity incidents, analyzing and assessing incidents and potential responses, implementing applicable containment, eradication and recovery actions, and understanding the reasons leading to a cybersecurity incident and appropriate changes to avoid further incidents. We perform routine reviews of our service providers, for third-party risk management, and regularly push out security updates across our business.
Our cybersecurity measures are intended to protect against unauthorized access to information, and they include authentication technology, entitlement management, access control, anti-malware software, and transmission of data firewalls. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in our risk factor disclosures in Item 1A of this Annual Report on Form 10-K. During the years ended December 31, 2022 and 2023, we did not, to our knowledge, experience any cybersecurity incidents or breaches that materially impacted our business, performance or results.
Governance
Our Board has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board has delegated primary oversight of risks related to cybersecurity to the Audit Committee of the Board, which reports on its activities and findings to the full Board as appropriate. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Our General Counsel, Chief Operating Officer and/or our Interim Chief Information Officer (as applicable) provide information to the Audit Committee on cybersecurity risks from time to time or as needed. These briefings include assessments of cybersecurity risks, information regarding any incidents, and cybersecurity risk management needs. Our Interim Chief Information Officer and his team, including the Senior Director of IT Infrastructure have extensive experience in cybersecurity, complemented by industry-standard certifications, and are committed to safeguarding organizational assets and mitigating cybersecurity risks effectively while efficiently leveraging cloud technologies to meet the needs of our business. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee is notified and briefed, and meetings of the Audit Committee and/or full Board would be held, as appropriate.