SIGMATRON INTERNATIONAL INC 10-K Cybersecurity GRC - 2024-09-03

Page last updated on September 3, 2024

SIGMATRON INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-03 16:08:14 EDT.

Filings

10-K filed on 2024-09-03

SIGMATRON INTERNATIONAL INC filed a 10-K at 2024-09-03 16:08:14 EDT
Accession Number: 0000915358-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company is committed to incorporating industry best practices in its cybersecurity program. Its Information Security Management System (ISMS), which the Company uses in the identification of cybersecurity risks and their classification and evaluation, is based on the National Institute Standards and Technology (NIST) framework and International Organization for Standardization (ISO) standards. The Company invests considerable resources in its information systems and personnel to safeguard its operations. It also regularly engages with external security consultants and auditors to validate its overall cybersecurity and risk management posture. Key elements of the Company’s cybersecurity program are a formal Risk Management Strategy within ISMS, which is based on the ISO 27001 framework, and an Incident Response Plan, which establishes the process for the Company to identify, assess, mitigate, and remediate risks from cybersecurity events and incidents, including internal notification, breach reporting, and external communications protocols for material incidents. The Company responds to risks in a prioritized fashion. Remediation priority considers the risk likelihood and impact, cost, work effort, and availability of resources. The Company has a formal third-party management policy that is incorporated into the overall ISMS. It includes procedures to identify, document, and address potential risks posed by third-party service providers of business-critical information systems owned or used by the Company (“Providers”). The Company assesses all Providers and will take additional steps to assess risk from Providers without an industry standard cybersecurity certification. The Company monitors the security posture of all Providers and reviews each Provider’s security and service delivery performance at least annually. In addition, the Company has adopted company-wide policies and procedures and conducts periodic employee training on a range of matters with cybersecurity risk management implications, including information security and acceptable use of technology policies. 22 As of the date hereof, the Company is not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company or its business strategy, results of operations, or financial condition. Nevertheless, there is no guaranty that the Company will not experience a cybersecurity threat or that the Company will successfully address an incident in the future. Also, notwithstanding the Company’s vigilance, a cybersecurity incident at one of its suppliers or customers could materially adversely impact the Company. See Item 1A “Risk Factors - Technology Risks” for a discussion of cybersecurity risks. Governance The Board of Directors, directly and through the Audit Committee, actively engages in reviews of cybersecurity risks. The full Board of Directors meets with the Company’s Vice President of Information Technology and Director of IT Infrastructure and Security at each of the Board’s regularly scheduled meetings to discuss the Company’s cybersecurity posture, including malicious activity experiences and vulnerabilities for potentially material cybersecurity threats and incidents. The results of disaster recovery exercises, penetration testing, and other external audits are also presented to the Board. The Audit Committee is responsible to review and evaluate the Company’s cybersecurity and other information technology controls and procedures, including the Company’s plans to mitigate cybersecurity risks and to respond to threats. In addition to being represented on the oversight committee under the Incident Response Plan, the Audit Committee meets regularly with the Company’s information technology leadership team and reviews with them any specific cybersecurity issues that could affect the adequacy of the Company’s internal and disclosure controls. The Company’s information technology team is primarily responsible to manage the Company’s information systems and assess and address all cybersecurity events that are internally detected or externally reported. Communication among Company personnel, including members of upper management when appropriate, is a high priority. An escalation process is in place under the Incident Response Plan to manage cybersecurity events depending on the severity of the risk of information system exploitation. Incidents of critical severity require immediate notice to members of an oversight committee comprised of upper executive and information technology officers, a member of the Audit Committee, and corporate counsel for evaluation and appropriate response. Incidents of medium or low severity are assigned to the appropriate personnel for response, mitigation and remediation. The Company’s information technology team is led by the Vice President of Information Technology. He has overall responsibility for developing, implementing, and maintaining the Company’s technology strategy, systems, and operations. The current Vice President of Information Technology has been employed in the Company’s information technology department for 10 years, previously as a Director of IT Development and a Business Analyst. He has a Master of Science in Information Systems Degree from DePaul University of Chicago. The leadership team also includes our Director of IT Infrastructure and Security, who is responsible for managing the Company’s cybersecurity strategy, including management of firewalls, identity and access management, endpoint protection, and backups. The current Director of IT Infrastructure and Security has been employed in the Company’s information technology department for 12 years, previously as a Technician and Network Administrator. He has a Master of Science in Information Management Degree from the University of Illinois. 23

Company Information