MESA LABORATORIES INC /CO/ 10-K Cybersecurity GRC - 2024-06-28

Page last updated on July 16, 2024

MESA LABORATORIES INC /CO/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-28 17:02:32 EDT.

Filings

10-K filed on 2024-06-28

MESA LABORATORIES INC /CO/ filed a 10-K at 2024-06-28 17:02:32 EDT
Accession Number: 0001437749-24-021606

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance Related to Cybersecurity Risks We recognize the importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our Board of Directors has delegated its responsibility for oversight of cybersecurity risks to our Audit Committee. In accordance with its charter, our Audit Committee is responsible for governing management’s review and assessment of our cybersecurity and other information technology risks, controls and procedures. Management’s Business Information Services team provides the Audit Committee with quarterly updates on our cybersecurity program, detailing our monitoring and mitigation efforts. Mesa’s Audit Committee has two members with prior work experience overseeing or assessing a cybersecurity function. The Audit Committee briefs the full Board on cybersecurity matters regularly. We have established procedures to keep management and the Audit Committee informed about security incidents that could significantly impact the business. Our information security program is led by our Information Security Manager, who has over ten years of cybersecurity experience, who in turn reports to our Vice President of Information Services, who has over 25 years of experience in the industry. The Information Security Manager regularly meets with our Business Information Services team, and as applicable, appropriate executive and Board of Directors personnel, to review our cybersecurity posture, the broader cybersecurity landscape, any identified cybersecurity incidents, our monitoring of cybersecurity risks through continuous mitigation efforts, and any anticipated enhancements to our policies, procedures and controls. Cybersecurity Risk Management and Strategy Our cybersecurity program, guided by industry standards, encompasses processes for the identification, assessment, and management of cybersecurity risks. We carry out regular risk assessments, supported by external vendors, to evaluate our cybersecurity program, pinpoint areas for enhancement, and devise strategies to mitigate cybersecurity risks. We perform ongoing security testing and have implemented a vulnerability management process to address identified security risks based on severity. An external vendor provides us with quarterly vulnerability scans, annual penetration tests, security tabletops, and an enterprise-wide annual security assessment to assess and validate our physical, technical, external, and administrative controls. Third parties that access, process, store or transmit our information or that have access to our systems may have and be subject to additional cybersecurity controls. Page We maintain cybersecurity policies that articulate Mesa’s expectations and requirements with respect to topics such as acceptable use of technology and data, data privacy, risk management, education and awareness and event and incident management. Consistent with our position that cybersecurity is the responsibility of every Mesa team member, we regularly educate and share best practices to raise awareness of cybersecurity threats. Every year, associates in applicable job categories are required to take information security and protection training, and we conduct ongoing simulated testing to educate employees on phishing. Our Information Security Manager and Business Information Services team oversee the day-to-day prevention, detection, mitigation, and resolution of cybersecurity risks, utilizing third-party security software and services. We also deploy processes and technologies to monitor security alerts from both internal and external sources, including information security research. In case of a confirmed security incident, we have a full incident response plan that includes engaging an incident handling team, guidance for determining materiality, and steps to respond, remediate, and recover from the security incident. To date, risks from cybersecurity threats have not materially affected our business strategy, results of operations or financial condition. We can provide no assurance that there will not be cybersecurity incidents in the future or that such incidents will not materially affect us; however, based on available information as of the date of this annual report, we do not believe that such threats are reasonably likely to materially affect our business. We maintain a cybersecurity insurance policy and a retainer for third-party incident response services which may mitigate certain financial impacts of a cybersecurity incident, should one occur.

Company Information