PRECISION OPTICS CORPORATION, INC. 10-K Cybersecurity GRC - 2024-09-30

Page last updated on October 1, 2024

PRECISION OPTICS CORPORATION, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-30 16:15:23 EDT.

Filings

10-K filed on 2024-09-30

PRECISION OPTICS CORPORATION, INC. filed a 10-K at 2024-09-30 16:15:23 EDT
Accession Number: 0001683168-24-006760

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. As a company selling products, including those for defense applications, we may be the target of cyber-attacks from a variety of threat actors. Cybersecurity threats include attacks on, or other attempts to infiltrate, our information technology (IT) infrastructure and the IT infrastructure of our customers, suppliers, subcontractors and other third parties, attempting to gain unauthorized access to our confidential or other proprietary information, classified information, or information relating to our employees, customers, and other third parties, or to disrupt our systems or the systems of our customers, suppliers, subcontractors, and other third parties. Cybersecurity threats also include attempts to infiltrate our products or services, including attacks targeting the security, confidentiality, integrity and/or availability of the hardware, software and information installed, stored or transmitted in our products, including after the purchase of those products and when they are incorporated into third-party products, facilities, or infrastructure. Our Cybersecurity Program. Our products and services are normally classified as EAR 99 by the U.S. government, but our defense customers generally require compliance with the International Traffic in Arms Regulation (“ITAR”). Moreover, our products sold for defense applications are integrated with our customers’ products and these customers may provide us with Controlled Unclassified Information (CUI) that requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies. Given the nature of our business and the cybersecurity risks we face, we have instituted cybersecurity measures for identifying, assessing, and managing cybersecurity risks, which include material risks from cybersecurity threats to our internal systems, our products, services and programs for customers, and our supply chain. The goals of our enterprise cybersecurity program align with the National Institute of Standards and Technology (NIST) standards, among others. The program includes processes and controls for the deployment of new IT systems by the Company and controls over new and existing system operations. We, or third parties we contract with, monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees to complete data security training, and we regularly conduct simulated phishing and cyber-related communications. 15 Incident Response. Our cybersecurity program includes monitoring for potential security threats that may lead to vulnerabilities. We evaluate and assign severity levels to incidents, escalate and engage an incident response team based on severity, and manage and mitigate the related risks. Incidents are reported internally to members of senior management and/or the Board of Directors as appropriate based on severity and incident type and are also analyzed for external reporting requirements. Our incident response process is also designed to coordinate functions to enable continuity of essential business operation in the event of a cyber crisis. Third Party Service Providers. We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program’s risk prevention and protection measures, and process execution including incident detection, investigation, analysis and response, eradication, and recovery. Our Chief Financial Officer and Vice President of Engineering meet regularly with third party service providers to review their performance and progress towards our cybersecurity initiatives. Program Assessment. We continuously evaluate and seek to improve and mature our cybersecurity processes against government standards. Our cybersecurity program is regularly assessed through management self-evaluation and ongoing monitoring procedures to evaluate our program effectiveness, including assessments associated with internal controls over financial reporting as well as vulnerability management through active discovery and testing to validate patching and configuration. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements and an overall assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall health of our program and target improvement areas. Board Oversight and Management’s Role Our Board of Directors has primary oversight responsibility for enterprise cybersecurity risks. The Audit Committee also considers enterprise cybersecurity risks in connection with its financial and compliance risk oversight role. The Chief Financial Officer regularly reports to the Board of Directors on the status of the Company’s cybersecurity program and provides the Board with the annual assessment by a third party on the Company’s cybersecurity program. For more information on risks related to cybersecurity, see Item IA. “Risk Factors” of this Form 10-K. 16

Company Information