TAYLOR DEVICES INC 10-K Cybersecurity GRC - 2024-08-15

Page last updated on August 15, 2024

TAYLOR DEVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-15 07:27:46 EDT.

Filings

10-K filed on 2024-08-15

TAYLOR DEVICES INC filed a 10-K at 2024-08-15 07:27:46 EDT
Accession Number: 0001376474-24-000456

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy In connection with the operation of the Company’s business, we identify, assess and manage key risks that may affect the Company, including material risks from cybersecurity threats through our system security plan. Our system security plan is aligned with the 110 controls detailed in the NIST (SP) 800-171 and Department of Defense CMMC Level 2 guidelines for Cybersecurity . We have company-wide security policies, standards and controls that seek to incorporate best practices in security engineering, technology architecture and data protection. Our policies and controls include security measures designed to protect our systems against unauthorized access. We also maintain cybersecurity protection measures covering our information technology systems, including with respect to the protection of customer data, vendor data and employee information. We have also implemented specialized training and education programs to seek to guard against cybersecurity incidents, including company-wide communications and presentations, phishing simulations, focused training for specific roles and a general cybersecurity training program required for all employees. We engage third parties to perform regular reviews of our security controls which includes 24x7x365 security incident and event management (SIEM) as well as vulnerability services and penetration testing. Our processes to identify, assess and manage material risks from cybersecurity threats include risks associated with our use of third-party service providers, including cloud-based platforms. We oversee and identify cybersecurity risks from our third-party service providers in a number of ways, including appropriate due diligence in connection with new third-party service provider onboarding, robust security terms and conditions in our third-party service provider contracts and ongoing risk-based monitoring to ensure compliance with our cybersecurity standards. We believe that these policies and controls provide us with an appropriate assessment of potential cybersecurity threats. As of the date of this Annual Report on Form 10-K (this “Form 10-K”), we are not aware of any risks from any potential cybersecurity threat or from any previous cybersecurity incident that have materially affected or are likely to materially affect our business strategy, results of operations or financial condition. However, the preventative actions we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against these potential threats and incidents in the future. Governance The Company’s Board of Directors is responsible for overseeing management’s identification, assessment and management of key risks, including cybersecurity risks. Our Director of Information Technology, Mitch Reszczenski, is primarily responsible for assessing and managing our cybersecurity risks. Mr. Reszczenski has over 28 years of extensive information technology experience in highly successful manufacturing, engineering and financial organizations. Mr. Reszczenski provides regular updates on cybersecurity risks and threats and key developments in Company policies, practices and related risk exposures to the Chief Executive Officer and Chief Financial Officer. Additionally, senior management provides an update to the Board of Directors on cybersecurity matters at least once a year, and more often as appropriate. The Board of Directors annually reviews and approves the capital and operating budgets, ultimately reviewing and approving the amount spent by the Company on cybersecurity measures. 6 Mr. Reszczenski works with senior management to implement and oversee processes for the regular monitoring of our information systems. If a cybersecurity incident involving the Company were to occur, Mr. Reszczenski would engage senior management to initially determine the potential materiality of the incident, the potential need for public disclosure, the timing and extent of the Company’s response and whether any future vulnerabilities are expected. As part of this evaluation, senior management would also identify immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future cybersecurity incidents. After an initial evaluation by senior management, the relevant information regarding the cybersecurity incident and its materiality would be promptly reported to the Company’s Board of Directors for further review and evaluation, including as to whether public disclosure would be required or advisable.

Company Information