VOXX International Corp 10-K Cybersecurity GRC - 2024-05-14

Page last updated on July 16, 2024

VOXX International Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-14 16:13:13 EDT.

Filings

10-K filed on 2024-05-14

VOXX International Corp filed a 10-K at 2024-05-14 16:13:13 EDT
Accession Number: 0000950170-24-059558

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C-Cybersecurity Risk Management and Strategy Managing cybersecurity risks and securing our sensitive data and systems are a critical part of our business operations and of paramount importance to our organization. The Company has implemented and maintains multiple layers of physical, administrative, and technical security processes designed to protect our facilities from disruptions that may result from cybersecurity incidents, as well as safeguard the confidentiality of our critical systems and data residing on those systems, including employee data, customer data, and proprietary information. Our approach consists of best practice standards, policies, and processes for identifying, assessing, managing, mitigating, and responding to material risks from cybersecurity threats. Our cybersecurity goals are to leverage industry-wide recognized standards, such as The National Institute of Standards and Technology (NIST) Cybersecurity Framework. We have implemented best practices and established numerous controls to reduce cybersecurity risk. Some key components include: - Leveraging third-party cybersecurity vendors to test our systems, identify previously undiscovered risks in the environment and validate existing cybersecurity controls. We maintain a process to oversee and identify risks from cybersecurity threats associated with our use of third-party vendors with access to our resources. - Educating our users on cybersecurity prevention tactics through security awareness training and ongoing phishing testing. 21 - Protecting Email through multiple layers of security that cover all internal and external communication. - Utilizing a patching and remediation process for our systems. We use a managed risk service to help detect and prioritize vulnerabilities found in the environment and track them for remediation. - Having a data recovery plan and controls designed to protect against business interruption, including multiple backups of our critical systems. - Deploying technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, access controls, extended detection and response, and event monitoring. - The company maintains a Cybersecurity Insurance Policy. On an ongoing basis we conduct cybersecurity risk assessments, including compiling, reviewing, and acting on information garnered from internal stakeholders, known security vulnerabilities, and data from external sources. The results of these assessments are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management. We routinely assess our systems and processes for modifications in advance of evolving state privacy regulations and other applicable industry standards and regularly update our privacy and information security policies to remain current with industry practices. We are continually adapting to the ever-changing cyber risk landscape and have a team of information security professionals committed to maintaining the highest levels of systems and data security. The Company itself conducts, and has engaged external information security firms to conduct, assessments, including penetration tests, to continually improve security controls and ensure security controls. We continue to expand and grow our security team and their skillsets and make regular enhancements to our cybersecurity risk management goals. In addition, we engage with our third-party business partners to enforce our internal cybersecurity practices. We rely on all third-party business partners to maintain appropriate security programs; however, we cannot ensure in all circumstances that their efforts will be successful. We assess third-party cybersecurity controls through a detailed cybersecurity assessment and review, and include security and privacy requirements to our contracts, where applicable. We also require that our third parties report material cybersecurity incidents to us, allowing us the ability to assess the impact of any reported incident on our operations. The Company’s incident response plans include emergency response, systems recovery, and other plans that would be enacted in the event of certain types of cybersecurity attacks. Cybersecurity Governance Our Board of Directors is responsible for oversight of risk management, including cybersecurity risks. The Audit Committee is updated on current cybersecurity events, metrics and other technology risks by our Vice President of Management Information Systems and Director of Infrastructure and Security on a quarterly basis, and all material risks and threats are reported immediately. The Audit Committee, in turn, provides the Board of Directors with updates regarding cybersecurity risks as it deems necessary or appropriate. Our Internal Cybersecurity Team is comprised of the Director of IT Infrastructure and Security, Global Technical Support Manager, and includes Information Security Administrators and Team Members. This team is responsible for managing efforts to assess, detect, prevent, mitigate, and remediate cybersecurity risks, threats, and incidents. In addition, this team meets regularly with the IT leadership team to review current risks and trends, along with monitoring ongoing cybersecurity metrics. Our cybersecurity incident response and vulnerability management programs are designed to escalate certain cybersecurity incidents to various levels of management depending on the circumstances, including our VP of Management Information Systems, Director of IT Infrastructure and Security, General Counsel, Chief Financial Officer, and Chief Executive Officer. Management works with our incident response team to help mitigate and remediate certain escalated cybersecurity incidents. In addition, our incident response and vulnerability management programs include reporting certain cybersecurity incidents to the Audit Committee and, in certain circumstances, to the Board. 22 For the fiscal year ended February 29, 2024, there have been no known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.

Company Information