STANDEX INTERNATIONAL CORP/DE/ 10-K Cybersecurity GRC - 2024-08-02

Page last updated on August 2, 2024

STANDEX INTERNATIONAL CORP/DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-02 15:24:17 EDT.

Filings

10-K filed on 2024-08-02

STANDEX INTERNATIONAL CORP/DE/ filed a 10-K at 2024-08-02 15:24:17 EDT
Accession Number: 0001437749-24-024465

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Like other global companies, we face various cybersecurity threats that could have a material adverse effect on our business strategy, results of operations or financial condition. Cybersecurity, therefore, is an important element of our business and our overall enterprise risk management program, and while we have experienced a small number of cyber incidents over the last few years, none to date have been material or had a material adverse effect on our business or financial condition. To mitigate the risk, we have established a multilayered approach to assessing, identifying and managing material risks from cybersecurity threats, which includes the following: ● An annual cybersecurity risk assessment as part of our Enterprise Risk Management (ERM) program, which reviews and evaluates the potential impact and likelihood of various cyber risks and defines a framework for mitigating measures and residual risk. ● A cybersecurity roadmap that is built from the risk assessment and feeds into our annual IT expenditure plan and which outlines the actions and investments we intend to take to enhance our cybersecurity posture and capabilities. ● A continuous cybersecurity risk monitoring and response process, which involves daily review and real-time alerts of security incidents, a multi-disciplinary escalation and review process, and a reporting and filing protocol for material incidents within four business days of materiality determination. ● A periodic cyber risk assessment conducted by independent experts, which provides an external validation and benchmarking of our cybersecurity practices and performance. As part of our cybersecurity program, we have and will continue to engage third parties, such as consultants, network security firms, auditors, and forensics providers, to assist us in assessing, managing, or investigating cyber risks or incidents. For example, we have engaged industry recognized third parties to monitor and conduct penetration and vulnerability testing on our networks and to assist us in the conduct of tabletop exercises. In order to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we perform third-party risk assessments designed to help protect against the misuse of IT by third parties and business partners and generally request that third-party service providers provide us information about their security policies and procedures. Cybersecurity Governance and Oversight We have a cybersecurity governance structure that involves the oversight and involvement of our board of directors and senior management. Our board of directors, through its Audit Committee, maintains oversight of risks, including cybersecurity risks, and receives an update from the Director of IT Security and the Chief Information Officer (CIO) at each quarterly committee meeting. The Audit Committee also reports to the full board on cybersecurity matters as part of its regular report out after each meeting. The Audit Committee Chair is immediately informed of any breach that could be more than de minimis and is kept apprised of any resulting investigation and is briefed on the substance of any Form 8-K filing related to a material cybersecurity incident. At the management level, oversight of our cybersecurity program rests with an internal committee comprised of the CIO, the Chief Legal Officer (CLO), and the Director of IT Security, who have in aggregate over 40 years of experience in assessing and managing cyber risks. The committee is responsible for overseeing the implementation and execution of our cybersecurity program and policies, and for engaging external experts as needed. The committee also reviews the log of security incidents as needed to validate that there are no materiality issues in the aggregate. The committee reports to the Audit Committee on a quarterly basis or more frequently as needed. We have an Incident Response Team comprised of IT, legal, and internal audit personnel that is activated with the help of other disciplines in the event of a perceived breach or security risk. The team is responsible for assessing the impact and materiality of the incident in accordance with a written Incidence Response Plan, determining the appropriate response and remediation actions, and communicating with internal and external stakeholders as needed. In an effort to deter and detect cyber threats, we have a required cybersecurity training program that is provided to all new employees during on-boarding and semi-annually to employees with access to our IT resources, which aims to raise awareness and foster a culture of cybersecurity among our workforce. We also have an ongoing process of sending simulated phishing emails to employees. The results of these simulated attempts are monitored and reported to each employee’s manager. Training includes such cybersecurity topics as social engineering, phishing, password protection, confidential data protection, asset use and mobile security. The training also emphasizes the importance of reporting all incidents immediately.

Company Information