Risk Management and Strategy

We recognize the increasing importance of cybersecurity and maintain various cybersecurity measures and protocols to safeguard our systems and data and to monitor and assess potential risks or threats.

Heidmar’s cybersecurity program includes multiple layers of defense and a blend of internal oversight and managed services. Preventive measures include endpoint protection and threat intelligence, email filtering and sandboxing through Proofpoint, and mandatory multi-factor authentication for key systems. Remote access to internal systems is restricted and granted only on an ad hoc, supervised basis.

We maintain processes for assessing, identifying and managing material cybersecurity threats, through regular third-party penetration testing, vulnerability assessments, and continuous monitoring of endpoints and email communication systems. However, we do not currently have a formal enterprise risk management framework or a centralized risk register specific to cybersecurity risks. Due diligence, including the review of relevant security certifications such as ISO/IEC 27001, is conducted prior to engaging critical third-party service providers. However, no formal periodic reassessment process is currently in place for monitoring vendors after contract execution.

Other prevention activities include endpoint protection, email threat filtering and continuity, and multi-factor authentication. Detection is supported through continuous monitoring and managed detection and response services. Mitigation and remediation processes involve immediate containment actions, coordination with internal IT resources, system restoration from backups, and post-incident analysis to strengthen controls.

We are currently in the process of implementing ISO/IEC 27001 (Information Security Management), ISO/IEC 27701 (Privacy Information Management, aligned with GDPR), and ISO 22301 (Business Continuity Management). As part of these initiatives, key policies and controls are being formalized to further standardize and strengthen the cybersecurity posture.

At present, cybersecurity risk is not formally integrated into the Company’s broader enterprise risk management or strategic planning processes. While operational cybersecurity controls and incident response capabilities are in place, there is no centralized risk register or routine management-level review process specific to cybersecurity risks. However, as part of the ongoing implementation of ISO/IEC 27001, 27701, and 22301, the Company is in the process of establishing a comprehensive risk management framework. This initiative includes the integration of cybersecurity risks into the broader enterprise risk management system, along with formal documentation, internal reporting structures, and cross-functional risk ownership.

Heidmar relies on other third-party service providers for infrastructure, security, and productivity tooling. Due diligence is conducted prior to entering into contracts, particularly for vendors handling sensitive data or core systems. This includes reviewing whether such vendors hold recognized security certifications, such as ISO/IEC 27001. We utilize the services of a cybersecurity technology company which monitors alerts in real time, applies predefined response playbooks (e.g., quarantining affected assets), and directly notifies the IT Manager to coordinate further remediation steps.

Another key vendor provides managed virtual machines and is responsible for maintaining the company’s Active Directory, Microsoft 365, and on-premises Exchange environments. Once approved, the selected vendors are considered critical and operate under ongoing relationships, though no formal periodic vendor review or reassessment process is currently in place.

Cybersecurity Threats

In June 2024, we experienced a cybersecurity incident involving the Akira ransomware group, which gained unauthorized access to certain systems and encrypted a portion of our data. Our backup systems remained unaffected, and all impacted systems were reformatted and restored from backup within a short timeframe.

The Company did not experience any financial losses, nor any material impacts to its business strategy, results of operations, or financial condition as a result of the cybersecurity incident. No disruptions to customer relationships or contractual obligations were identified.

After the Company detected the incident, the Greek National cybersecurity agency contacted the Company after they were informed by a U.S. counterpart that a network scan output (consisting of internal hostnames and IP addresses) was posted online by the threat actor. While the actor claimed to have exfiltrated 20 GB of data, no evidence of such data was verified.

Since the incident, the Company has significantly strengthened its cybersecurity posture, including the deployment of enhanced managed detection and response services, advanced email security solutions, organization-wide multi-factor authentication, and the streamlining of internal directory services and access permissions. Based on current assessments, the Company does not believe there are any ongoing cybersecurity threats or vulnerabilities that are reasonably likely to materially affect its business strategy, results of operations, or its financial condition.

See also “Item 3.D. Risk Factors - We rely on our information systems to conduct our business, and failure to protect these systems against security breaches could adversely affect our business and results of operations. Additionally, if these systems fail or become unavailable for any significant period of time, our business could be harmed.”

Responsibility for overseeing, assessing and managing cybersecurity risks is part of the responsibility of our IT Manager. This individual brings over 20 years of experience across IT operations, systems administration, software development, and security program management, and holds several recognized industry certifications, including:

As part of the ongoing ISO/IEC 27001 implementation, our IT Manager is expected to formally assume the role of Chief Information Security Officer (CISO), expanding his responsibilities to include structured policy development and executive-level risk reporting. The IT Manager oversees processes related to the prevention, detection, mitigation, and remediation of cybersecurity incidents. Preventive measures include endpoint protection, email filtering, multi-factor authentication, and vendor risk management at onboarding. Detection relies on continuous monitoring provided by managed security service providers. Mitigation and remediation activities involve immediate containment of threats, coordination of incident response, system restoration from backups, and post-incident analysis to strengthen defenses.

As part of Heidmar’s ongoing implementation of ISO/IEC 27001, we are preparing to formalize governance procedures around cybersecurity risk. This will include the designation of a Chief Information Security Officer (CISO) — likely fulfilled by the current IT Manager in a dual role — and the establishment of structured board reporting processes to support ongoing oversight of cybersecurity risk at the executive level.

The IT Manager will report cybersecurity risks and incidents to the CEO and CFO and to the Board of Directors on an incident-driven or ad hoc basis when significant cybersecurity events occur or when notable changes are made to the organization’s security posture or vendor relationships.