NATURAL ALTERNATIVES INTERNATIONAL INC 10-K Cybersecurity GRC - 2024-09-27

Page last updated on September 27, 2024

NATURAL ALTERNATIVES INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-27 17:27:38 EDT.

Filings

10-K filed on 2024-09-27

NATURAL ALTERNATIVES INTERNATIONAL INC filed a 10-K at 2024-09-27 17:27:38 EDT
Accession Number: 0001437749-24-030208

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our overall enterprise risk management function, we have implemented and currently maintain various information security processes designed to identify, assess and manage material risks related to information technology, including cybersecurity threats to our critical computer networks, third-party hosted services, and our critical data, (“Information Systems”). Our Information Systems risk management process evaluates and mitigates cybersecurity risks in alignment with our business objectives and operational needs. We periodically engage third-party consultants and service providers to obtain an independent assessment regarding internal efforts to prevent threats on our Information Systems. Continuous vigilance over safeguarding the Company’s Information Systems have resulted in our current approach and these assessments are shared with our Audit Committee. Technology To mitigate the occurrence of an incident as defined by the Company’s formal documentation, which classifies and defines the properties of potential threats, the Company has in place a host of defenses which include, but are not limited to, the use of gateway consoles in all our global locations, limited access to key Information Systems from in-office networks or VPN with multi-factor authentication by means of a third-party mobile identity management tool to limit access to authorized users. Process Internally to manage potential cybersecurity threats, we have established an Incident Response Plan that is designed to control the workflow of a reported incident. This plan formalizes incidence response stages such that reporting, identification, scope, response, and recovery are executed in a timely manner and identifies the order and coordination of internal and external communication. In addition, the Company addresses crisis management and business continuity with respect to Information Systems to ensure reliable redundancy and recovery of backed-up databases. Management is not aware of any material security breaches on its Information Systems and risks from cybersecurity threats have not previously materially affected us. Because certain of our vendors have experienced cyberattacks in the past and the threat and development of cyberattacks is continuous, it is impossible to say with certainty whether the Company’s efforts will prevail in a coordinated attack on its Information Systems. We currently do not expect the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. For additional information about cybersecurity risks, see Item 1A. “Risk Factors.” Governance Role of the Board The Audit Committee of our Board of Directors (the “Board”) has the responsibility for the oversight of risk management, including those risks related to cybersecurity. The Board holds strategic planning sessions with senior management to discuss strategies, key challenges, risks and opportunities for mitigation. The involvement of our Board in setting our business strategy is a key part of its oversight of risk management, its assessment of management’s appetite for risk, and its determination of what constitutes an appropriate level of risk for us. Our senior management attends meetings of our Board and its committees on a quarterly basis, and as otherwise needed, and are available to address any questions or concerns raised by our Board on risk management and any other matters. Role of Management Our senior management, with the oversight of the Board, is responsible for the day-to-day management of the material risks the Company faces, including those related to cybersecurity. We believe it is important to work at all levels of the Company’s hierarchy to manage cybersecurity risks and threats. Therefore, all users must use an online IT ticketing system, which is monitored around the clock, to report any incidences. Qualified individuals in IT determine what resources to allocate to each case and escalation of an incident, if deemed necessary. The Systems Administrators and IT Director, who has more than 17 years of experience with the Company, communicates on a day-to-day basis with the Chief Financial Officer and President/Chief Operating Officer who would bring any material cybersecurity issues to the attention of the Company’s Chief Executive Officer and the Board.

Company Information