FRIEDMAN INDUSTRIES INC 10-K Cybersecurity GRC - 2024-06-11

Page last updated on July 16, 2024

FRIEDMAN INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-11 16:13:55 EDT.

Filings

10-K filed on 2024-06-11

FRIEDMAN INDUSTRIES INC filed a 10-K at 2024-06-11 16:13:55 EDT
Accession Number: 0001437749-24-019948

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Governance The Board of Directors (the “Board”) of the Company is responsible for the oversight of the Company’s cybersecurity program and recognizes the risks that cybersecurity threats may impose on the Company, its business partners, employees and investors. The Company’s IT Director is responsible for overall IT governance, risk and compliance including the Company’s cybersecurity program. The Audit Committee of the Board collaborates with the full Board and the IT Director to facilitate alignment of overall IT related controls and processes. We have a formalized IT Security Incident Report process which provides a method to document and communicate details of security incidents to appropriate stakeholders. The Board and the Audit Committee receive periodic briefings on cybersecurity and help set priorities and strategic direction. As part of continuous improvement, our cybersecurity program is being aligned with the NIST Cybersecurity Framework 2.0 to help ensure comprehensive controls and oversight. Cybersecurity Controls We have implemented a modern, comprehensive set of controls that restrict access to systems using a combination of firewalls, virtual private networks, multi-factor authentication and enforced use of corporate controlled compliant devices. We make extensive use of best-in-class automated intrusion prevention, intrusion detection and response systems which constantly monitor activity, build usage patterns and respond or alert when unusual activity is detected. We have experienced staff who perform root cause analysis, respond to any immediate threat, and implement improved controls for future prevention. Our cybersecurity tools are fully integrated and collect data from various sources to build relationships and detect more complex multi-channel attack strategies. Application controls are role-based and designed to protect data confidentiality and provide overall data integrity. A risk-based approach is taken regarding third-party systems utilized in our business. We have controls specifically focused on E-mail phishing including impersonation attempts. Although our automated controls prevent most phishing attempts, some can be delivered to employees. To mitigate this risk, we provide training to employees using various methods including E-mail phishing campaigns which send phishing-style E-mails, monitors user responses and automatically assigns further training as appropriate. Employees have been trained to send any suspicious activity to a central IT Service Desk for evaluation and appropriate timely action. All critical systems have rigorous data backups and are designed for disaster recovery, ensuring business continuity in the event of a catastrophic incident. As part of continuous improvement, disaster recovery testing is being conducted and documented. We are not aware of any unmitigated risk or any prior incident that may have materially affected the Company’s data integrity, confidentiality, operations, business strategy or financial reporting. Given our reliance on modern systems, we are aware a significant incident could impact the Company’s overall goals so we strive to provide modern counter measures to manage this risk. 4

Company Information