UNIFI INC 10-K Cybersecurity GRC - 2024-08-23

Page last updated on August 23, 2024

UNIFI INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-23 15:29:51 EDT.

Filings

10-K filed on 2024-08-23

UNIFI INC filed a 10-K at 2024-08-23 15:29:51 EDT
Accession Number: 0000950170-24-100146

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybers ecurity Risk Management and Strategy As a part of the Company’s overall risk management and compliance programs, we have developed an enterprise cybersecurity program designed to detect, identify, classify, and mitigate cybersecurity and other data security threats. Our enterprise cybersecurity program classifies potential threats by risk levels and we typically prioritize our threat mitigation efforts based on those risk classifications, while focusing on maintaining the resiliency of our systems. In recent years, we have increased our investments in our ability to detect, identify, classify and mitigate cybersecurity and other data security threats within our environment. In the event we identify a potential cybersecurity or other data security issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, the Board, other stakeholders and law enforcement when responding to such issues. The Company’s enterprise cybersecurity program focuses on vulnerability management, access management, and user awareness training. Among other things, the Company implements scheduled patching and system updates and proactively scans for vulnerabilities. We regularly engage qualified third-party experts to assess the Company’s information technology infrastructure and identify vulnerabilities and opportunities for continued focus and improvement. The Company utilizes industry-standard technologies, processes, and capabilities designed to protect our systems and data and to detect potential suspicious activity. We provide cybersecurity training and user education on a regular basis for users with access to the Company’s information technology systems. We conduct monthly social engineering tests to promote phishing awareness and security awareness. The Company monitors servers and endpoint devices across the organization to detect signs of a cyberattack. We maintain and practice a response and recovery plan to restore systems and data. We also maintain cyber liability insurance against cyber-attacks as part of our comprehensive insurance portfolio. Because we are aware of the risks related to third-party service providers, we have implemented processes to oversee, identify, and manage risks from cybersecurity threats associated with our most significant third-party service providers. We have experienced targeted and non-targeted cybersecurity attacks and incidents in the past, and we could in the future experience similar attacks. For the years presented, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that had, or were reasonably likely to have, a material affect on the Company, including our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see " Operational Risks - Our business and operations could suffer in the event of cybersecurity breaches," in “Item 1A. Risk Factors” in this report. Governance Day-to-day management of cybersecurity risk is performed by the Company’s Information Technology Security Team with direct oversight from the Chief Information Officer (the “CIO”). The Company’s incident response plan includes a defined escalation matrix for critical or high severity information security events involving notifications to the CIO, who further escalates critical or high severity events to the Company’s Cyber Incident Steering Committee (the “CISC”), which consists of the CIO, the Chief Financial Officer, the General Counsel, and the Internal Audit Manager. Additional senior management from relevant business units are included as needed based on the nature of identified cybersecurity incidents. The CISC is responsible for providing support, guidance, and oversight of UNIFI’s incident response, including making a determination of materiality to evaluate the need for escalation and disclosure. The materiality evaluation is made using the framework established in the federal securities laws, with a focus on the importance of the information to a reasonable investor. The Board recognizes the important role of information security and mitigating cybersecurity and other data security threats, as part of our efforts to protect and maintain the confidentiality and security of customer, employee, and vendor information, as well as non-public information about UNIFI. Although the Board as a whole is ultimately responsible for the oversight of our risk management function, the Board uses its committees to assist in its risk oversight function. The Audit Committee of the Board has primary responsibility for oversight of risk assessment and risk management, including risks related to cybersecurity and other technology issues. The Audit Committee regularly reviews our cybersecurity and other technology risks, controls and procedures. The Audit Committee receives reports from the CIO quarterly regarding our cybersecurity framework, as well as our plans to mitigate cybersecurity risks and to respond to any data breaches. The Company’s Information Technology Security Team and its cybersecurity infrastructure is overseen by the CIO who reports to the Chief Executive Officer. The CIO has served in various roles in information technology for over 29 years. Furthermore, UNIFI management prepares, and the Audit Committee reviews and discusses, a quarterly assessment of our risks on an enterprise-wide basis. We conduct a rigorous enterprise risk management program that is updated quarterly and is designed to bring to the Audit Committee’s attention our most critical risks for evaluation, including cybersecurity risks. 15

Company Information