CULP INC 10-K Cybersecurity GRC - 2024-07-12

Page last updated on July 16, 2024

CULP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-12 11:00:54 EDT.

Filings

10-K filed on 2024-07-12

CULP INC filed a 10-K at 2024-07-12 11:00:54 EDT
Accession Number: 0000950170-24-083115

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Board of Directors (the “Board”) recognizes the importance of cybersecurity and safeguarding our information systems and data assets. It is imperative that we maintain the trust and confidence of our customers, business partners and employees. Protecting our data and the data of our customers, business partners and employees is critical to maintaining that trust. As such, the Board is actively involved in overseeing our cybersecurity risk management program. Risk Management and Strategy We manage cybersecurity risks as part of our broader enterprise risk management framework, which allows us to leverage existing, robust processes for assessing the effectiveness and coverage of our controls. Our cybersecurity policies, standards, processes and practices are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information we collect and store, including information regarding our customers, suppliers and employees. As part of our enterprise risk management program, we actively work to identify, prevent, and mitigate cybersecurity threats, and take steps to be prepared to effectively respond to cybersecurity incidents when they occur. Our approach includes using select third-party resources, including external cybersecurity consultants, auditors, and technologies, along with our internal staff, to 21 benchmark, measure, and improve our cybersecurity risk management systems and processes, and ensure alignment with industry best practices. We have established a robust cybersecurity governance framework to manage and mitigate risk. Our approach includes: - Security Operations Program - a security operations program to bolster real-time cybersecurity incident detection and response capabilities; - Third-Party Risk Management - regular evaluation and monitoring of our network of external partners, vendors, suppliers and service providers, which includes monitoring of third parties, securing vendor remote access, and implementation of protections against cyber threats that may arise through business-to-business system integrations; - Security Control Framework - a security control framework that aligns with industry accepted best practices and prioritizes implementation of critical cybersecurity controls; - Incident Response Plan - a cybersecurity incident response plan, designed to effectively address cybersecurity incidents while promoting cross-functional coordination across the organization; - Assessments - annual cybersecurity assessments, administered by a third-party specialist, which focus on identifying and remediating vulnerabilities that present the most significant organizational risks; - Training - security awareness training for all salaried personnel that highlights critical organizational risks through monthly phishing simulation campaigns, “lunch and learns,” and annual cybersecurity learning modules; - Insurance - cybersecurity insurance policies and periodic reviews of our policies and coverage levels; and - Monitoring Legal/Regulatory Developments - review of emerging data protection, data privacy, and other relevant cybersecurity laws and regulations to determine appropriate changes to cybersecurity controls and processes. Through the aforementioned processes, we did not identify risks from current or past cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, we face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect business strategy, results of operations, or financial condition. See “Risk Factors-Increasing dependence on information technology systems comes with specific risks, including cybersecurity breaches and data leaks, which could have an adverse effect on our business.” Governance Our Board of Directors has delegated to its Audit Committee primary responsibility for overseeing our management of risks arising from cybersecurity threats. The Audit Committee receives quarterly presentations on our cybersecurity program, including regular presentations regarding our cybersecurity risks; our efforts to address evolving standards; vulnerability assessments, including results of third-party penetration testing; and external audits of our cybersecurity IT controls. Management and the Board also receive prompt and timely information regarding any significant or potentially significant cybersecurity incident and our remediation efforts. Our Vice President of Information Technology and our Director of Technical Infrastructure, in coordination with management, work to implement our program to protect the Company’s information systems from cybersecurity threats. These individuals work to promptly evaluate and address any cybersecurity incidents, and work with management to assess the impact and any necessary remediation efforts following a cybersecurity incident. In addition, the Vice President of Information Technology provides updates to the Audit Committee and the Board on a regular basis and as needed in response to specific incidents. To facilitate the success of our cybersecurity risk management program, we have assigned our Director of Technical Infrastructure and his team to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and provide reports to management. Our Vice President of Information Technology and Director of Technical Infrastructure have a combined 65 years of experience designing, implementing, and supporting information technology systems with a security-first mindset. In particular, prior to joining Culp, our Director of Technical Infrastructure gained experience leading cybersecurity teams at a managed security service provider, where he provided cybersecurity support to outside organizations. 22

Company Information