NAPCO SECURITY TECHNOLOGIES, INC 10-K Cybersecurity GRC - 2024-08-29

Page last updated on August 29, 2024

NAPCO SECURITY TECHNOLOGIES, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-29 16:43:12 EDT.

Filings

10-K filed on 2024-08-29

NAPCO SECURITY TECHNOLOGIES, INC filed a 10-K at 2024-08-29 16:43:12 EDT
Accession Number: 0001558370-24-012547

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY. Cybersecurity Risk Management and Strategy We face significant and persistent cybersecurity risks due to the global nature of our business, the use of information technology systems, infrastructure and data in our business operations and our reliance on third-party vendors, suppliers, customers and business partners. We defend our systems against cybersecurity attacks on a daily basis and rely heavily on the reliability, security and efficiency of our information technology systems and ongoing employee training to face these threats. We maintain a cyber risk management program designed to assess, identify and manage cybersecurity threats. Our cyber risk management program has been integrated into our overall risk management program. The Audit Committee of our Board of Directors and our management are involved in the oversight of our risk management program, of which cybersecurity represents an important component. We rely on a multidisciplinary team, including our information security function, outside legal counsel, management, and third-party service providers, as described further below, to identify, assess, and manage cybersecurity threats and risks. These processes include, among other things, annual security awareness training for employees, programs to increase awareness of phishing attempts, tools to detect and monitor unusual network activity, and processes to contain, escalate and respond to incidents. In addition, we have an enterprise Information Security Policy describing our cybersecurity program and governance structure and the processes and procedures in place to identify, mitigate and remediate cybersecurity threats and risks. We have an incident response plan for managing cybersecurity incidents and associated crisis communication procedures designed to facilitate coordination across the Company and with our partners, customers, the public and others. To further protect our business, we partner with a third-party vendor to provide cybersecurity and risk management as a managed service offering. They provide cybersecurity risk assessment and threat intelligence to the Company, in addition to acting as a managed service provider for our information technology program. We decided to retain a third party for these services given the small size of our Company and internal information technology staff and the quality, comprehensiveness, and cost-effectiveness of the services offered. An internal team, led by our Vice President of Information Technology, who has over 30 years’ of experience in IT security matters, oversees and works collaboratively with this third-party vendor to evaluate the strength of our cybersecurity protocols and the results of testing to determine what additional actions, such as trainings or remedial actions, are necessary to lessen cybersecurity risks. Third Party Risk Management We also monitor and manage cybersecurity risks associated with our third-party service providers, including our managed security service provider, suppliers, customers and vendors, though, among other things, the processes set forth in our policies and procedures, due diligence processes, regular oversight, monitoring and auditing of our relationships by internal staff, supplier codes of conduct and escalation practices for reporting issues. We require our third-party providers to meet appropriate security requirements and controls prior to providing access to our internal systems, and investigate and report any security incidents, as appropriate. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information, see “Risk Factors-Risks Related to “Cybersecurity incidents and other disruptions to our information and technology systems, or the information systems of third parties whom we do business” in Part I, Item IA of this Annual Report on Form 10-K. Table of Contents Cybersecurity Governance Risk assessment and oversight are an integral part of our governance and management processes. The Audit Committee of our Board of Directors (the “AC”) has ultimate oversight of the Company’s risk management. The AC is responsible for overseeing our enterprise risk management program, including material risks related to cybersecurity threats. The AC receives regular updates from management, including the information technology and legal teams, on cybersecurity risk resulting from risk assessments and reviews any information on relevant internal and industry cybersecurity incidents and is notified between such updates relative to any incidents which could materially affect the Company. Based on this information, our AC monitors the Company’s cybersecurity program, including potential threats, weaknesses and vulnerabilities, and reviews the policies and procedures in place to prevent, detect and respond to cybersecurity threats and unauthorized access to our information security systems. Significant findings related to cybersecurity, data and technology risks or incidents are at least annually reported to and discussed with the Board of Directors. Our information technology department is responsible for assessing the risk of cybersecurity threats and hiring appropriate personnel and third-party consultants to oversee the cybersecurity program.

Company Information