What changed in Zevia PBC's 10-K — 2024 vs 2025

Item 1C. Cybersecurity We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process designed to assess, identify, and manage material risks from cybersecurity threats. This process is supported by both management and our Board of Directors.

To prevent, detect, mitigate, and remediate information security threats, including a cybersecurity incident and/or threat, we maintain a cyber risk management process managed by our Senior Vice President, Operations (“SVP, Operations”) who reports to our CEO and has seven years of experience overseeing information technology processes and procedures, including cybersecurity matters.

The SVP, Operations works with the Company’s Legal team on cybersecurity strategy, policy, training, standards, architecture, and processes. We have invested, and expect to continue to invest, in resources for the protection and safeguarding of our information technology systems, including, but not limited to, networks, applications, and outsourced technology services in connection with the operation of our business.

We have implemented cybersecurity systems and controls based on industry best practices and the U.S. National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”).

This does not imply that we meet any particular technical standards, specifications or requirements, only that we use such standards as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.

These resources are designed to detect and respond to cyber incidents that may result in unauthorized access to, ransomware, damages, or destruction of, our information systems. 32 Risk Management and Strategy Cybersecurity risk is a direct responsibility of management and the Company’s information technology (“IT”) team, including our Director, IT who has over 15 years of experience building, implementing, and managing information systems, developing cybersecurity programs, and deploying risk mitigation strategies for such systems.

Working cross-functionally with our Legal team, our SVP, Operations oversees the IT team that regularly monitors and assesses cybersecurity risks, implements measures designed to mitigate such risks and their associated effects on the Company and personal data collected, stored, and processed in our systems, and manages our information security training and cybersecurity awareness program.

We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. Our approach to cybersecurity risk management includes the following: • Multi-Layered Defense and Monitoring – We work to protect our computing environments from cybersecurity threats through multi-layered defenses and monitoring efforts to identify cybersecurity threats, and to help prevent future attacks.

We utilize data analytics systems to detect anomalies and identify cyber threats. From time to time, we engage third-party consultants or other advisors to assist in assessing, identifying, and/or managing cybersecurity threats.

We also periodically use third-parties to conduct additional reviews and assessments. • Insider Threats – We maintain organizational controls such as limited access, and access removal for terminated employees, designed to minimize insider threats, and address potential risks from within our Company.

Our measures and controls are informed by industry practices, and designed to be consistent with applicable law, including privacy and other considerations. • Third Party Risk Assessments – We conduct privacy and information security risk assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties. • Training and Awareness – We provide awareness training to our employees to help identify, avoid and mitigate cybersecurity threats.

Our employees with network access are required to participate annually in training, including phishing simulations and other awareness training.

We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response. • Supplier Engagement – Our standard terms and conditions contain contractual provisions requiring that our third-party suppliers disclose to us the technical and organizational measures they maintain, the standards and certifications by which they are evaluated for information and cyber security, and their cybersecurity insurance protection level.

We seek to mitigate risk by evaluating the foregoing against any potential cyber-related risks depending on the nature of the services being provided. Governance Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight.

The Nominating and Enterprise Risk Management (“NERM”) Committee of the Board of Directors specifically assists the Board in its oversight of risks related to cybersecurity. In accordance with its charter, the NERM Committee receives regular reports at each of its quarterly meetings from management, including the SVP, Operations.

Such reporting includes updates on the Company’s cybersecurity program, information security matters, the evolving cybersecurity threat environment, applicable privacy law compliance, and the Company’s mitigation plans and evolving mitigation strategy. The Chair of the NERM Committee regularly reports to the Board of Directors on cybersecurity risks and other related matters .

In addition, both the NERM Committee and the Audit Committee, in a joint meeting, receive an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually. Management reports to the NERM Committee and/or the Board of Directors in between meetings as appropriate regarding any significant cyber events.

Since the beginning of the last fiscal year, we have not identified any cybersecurity threat or incident that has materially affected the Company or our financial position, results of operations and/or cash flows, but we face certain ongoing cybersecurity risk threats that, if realized, are reasonably likely to materially affect us.

We continue to invest in the cybersecurity and resiliency of our networks and enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Part I, Item 1A. “Risk Factors” included in this Annual Report.

Legal Proceedings We are not subject to any material legal proceedings. Item 4. Mine Safety Disclosures. Not applicable. 33 PART II