Page last updated on November 19, 2024
NORTHERN TECHNOLOGIES INTERNATIONAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 08:15:39 EST.
Filings
10-K filed on 2024-11-19
NORTHERN TECHNOLOGIES INTERNATIONAL CORP filed a 10-K at 2024-11-19 08:15:39 EST
Accession Number: 0001171843-24-006440
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity ," may not be sufficient to prevent cyber security incidents. The result of these incidents could include disrupted operations, lost opportunities, misstated financial data, liability for stolen assets or information, increased costs arising from the implementation of additional security protective measures, litigation, and reputational damage. Any remedial costs or other liabilities related to cyber security incidents may not be fully insured or indemnified by other means. Additionally, on July 26, 2023, the SEC issued final rules related to cyber security risk management and related disclosures. NTIC and its Audit Committee continue to monitor and analyze the impact these rules may have on NTIC’s regulatory burden and cost of compliance related to cyber security threats. NTIC ’ s quarterly results are typically unpredictable and subject to variation. NTIC’s quarterly operating results vary from quarter to quarter for a variety of reasons. For example, NTIC’s quarterly sales to joint ventures can be affected by individual orders to joint ventures. Because of the typical size of individual orders to joint ventures and the overall size of NTIC’s net sales to joint ventures, the timing of one or more orders can materially affect NTIC’s quarterly sales to joint ventures and the comparisons to prior year quarters. In addition, because of the typical size of individual orders and the overall size of NTIC’s net sales derived from sales of Natur-Tec(R) products, the timing of one or more orders can materially affect NTIC’s quarterly sales of Natur-Tec(R) products and the comparisons to prior year quarters. Furthermore, since ZERUST(R) products for the oil and gas industry typically carry higher margins than other traditional ZERUST(R) products, the amount of sales of ZERUST(R) products for the oil and gas industry typically affects NTIC’s overall margins. Such variability in operating results makes the prediction of NTIC’s net sales, earnings, and other operating results for each quarter difficult and increases the risk of unanticipated variations in quarterly operating results. NTIC’s quarterly results have been and, in the future, may be below the expectations of public market analysts and investors. NTIC ’ s business is subject to a number of other miscellaneous risks that may adversely affect NTIC ’ s operating results, financial condition, or business. NTIC’s business is subject to a number of other miscellaneous risks that may adversely affect NTIC’s operating results, and financial condition, such as natural or man-made disasters, an unexpected business loss of supply due to a force majeure event or global pandemics that may result in shortages of raw materials, higher commodity costs, an increase in insurance premiums, and other adverse effects on NTIC’s business; the continued threat of terrorist acts and war that may result in heightened security and higher costs for import and export shipments of components or finished goods; and the ability of NTIC’s management to adapt to unplanned events. 35 Item 1B. UNRESOLVED STAFF COMMENTS Not applicable. Item 1C. CYBERSECURITY Background Cybersecurity, data privacy, and data protection are critical to NTIC’s business. In the ordinary course of business, NTIC collects and stores certain confidential information, such as information about employees, contractors, vendors, customers, and suppliers. NTIC has processes in place for assessing, identifying, and managing material risks from cybersecurity threats, and NTIC regularly assesses its performance and identifies areas for improvement. In recent years, NTIC has implemented measures to safeguard its entire cyber network. Management continually re-assesses NTIC’s cybersecurity risk environment based on changing circumstances and new information identified by monitoring, scanning and testing its systems as well as utilizing third party resources for testing. Risk Management and Strategy NTIC’s processes for assessing, identifying, and managing cybersecurity threats have been integrated into the overall risk management processes. The information provided by these processes facilitates management’s ongoing assessment of NTIC’s cybersecurity risk environment and provides current and accurate information regarding cybersecurity risks to management, the Audit Committee and Board of Directors to allow appropriate management of such risks through remediation or other risk mitigation activities. NTIC maintains a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. NTIC takes a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect its operations, finances, legal or regulatory compliance, or reputation. The scope of NTIC’s evaluation encompasses risks that may be associated with both its internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and employee training, education, and awareness initiatives. Role of Management Management has implemented risk management structures, policies and procedures and is responsible for NTIC’S day-to-day cybersecurity risk management. Our Information Technology Director, who brings a solid foundation in cybersecurity from prior managerial roles and specialized training, is responsible for our day-to-day assessment and management of cybersecurity risks and has helped NTIC leverage best practices consisting of real time monitoring, anti-virus and ongoing patch management for all systems. Maintenance keeps code to industry standards and aligned with best practices. Security, and threats to security, are constantly evolving. The implemented measures are flexible enough that they can be modified dynamically to respond to changes in the security landscape. The following security measures give some insight as to what has been implemented: ● Multifactor Authentication ● Phishing Simulations ● User Permissions Auditing and Tightening ● Proactive blocking of high-risk email ● Active monitoring of user sign-in ● On-premises Endpoint reduction ● Endpoint detection and response ● Licensing, Network, and hardware compliance management 36 Use of Consultants and Advisors NTIC engages various third-party cybersecurity service providers to assess and enhance its cybersecurity practices and assist with protection and monitoring of its systems and information, including with respect to protection of its e-mail, system access, network monitoring, endpoint protection, vulnerability assessments and penetration testing. NTIC engages cybersecurity consultants, auditors, and other third parties to assess and enhance its cybersecurity practices, such as a third party consulting firm to perform tabletop exercises and evaluate NTIC’s cyber processes including an assessment of its incident response procedures. Board Oversight The Board of Directors, both directly and through the delegation of responsibilities to the Audit Committee oversees the proper functioning of NTIC’s cybersecurity risk management program. In particular, the Audit Committee, which is comprised entirely of independent directors, is responsible for reviewing and discussing guidelines and policies governing the process by which senior management of NTIC assesses and manages NTIC’s exposure to risk and reviewing and discussing NTIC’s major financial risk exposures, including cybersecurity risk, and the steps management has taken to monitor and control such exposures; it being understood that it is the job of management to assess and management NTIC’s exposure to risk and that the Audit Committee’s responsibility is to discuss guidelines and policies by which risk assessment and management are undertaken. The Audit Committee additionally receives periodic updates from senior management on NTIC’s policies, processes, procedures and any significant developments related to the identification, mitigation and remediation of cybersecurity risks and is responsible for reviewing the cybersecurity disclosures required to be included in NTIC’s SEC filings. Although none of the members of the Audit Committee has any work experience, degree, or certifications related to information security or cybersecurity, the Audit Committee works closely with members of management and NTIC has engaged third-party service providers to further enhance its cybersecurity efforts. Risks from Material Cybersecurity Threats Although NTIC has taken steps to prevent and mitigate data security threats, there can be no assurance that its protective measures and those of its third party service providers will prevent or detect security breaches that could have a significant impact on NTIC’s business, reputation, operating results and financial condition. NTIC maintains cyber liability insurance; however, this insurance may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of NTIC’s systems. As of the date of this filing, NTIC has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on NTIC’s business strategy, results of operations or financial condition. Although NTIC has not experienced cybersecurity incidents that are individually, or in the aggregate, material, NTIC has experienced cyberattacks in the past, which NTIC believes have thus far been mitigated by preventative, detective, and responsive measures it has put in place. See the factors described in the " Part I. Item 1.A. Risk Factors " section of this Form 10-K for further detail about the cybersecurity risks NTIC faces. Maintaining a robust information security system is an ongoing priority for NTIC, and NTIC plans to continue to identify and evaluate new, emerging risks to data protection and cybersecurity both within NTIC and through its engagement of third-party service providers.
Item 1C. CYBERSECURITY Background Cybersecurity, data privacy, and data protection are critical to NTIC’s business. In the ordinary course of business, NTIC collects and stores certain confidential information, such as information about employees, contractors, vendors, customers, and suppliers. NTIC has processes in place for assessing, identifying, and managing material risks from cybersecurity threats, and NTIC regularly assesses its performance and identifies areas for improvement. In recent years, NTIC has implemented measures to safeguard its entire cyber network. Management continually re-assesses NTIC’s cybersecurity risk environment based on changing circumstances and new information identified by monitoring, scanning and testing its systems as well as utilizing third party resources for testing. Risk Management and Strategy NTIC’s processes for assessing, identifying, and managing cybersecurity threats have been integrated into the overall risk management processes. The information provided by these processes facilitates management’s ongoing assessment of NTIC’s cybersecurity risk environment and provides current and accurate information regarding cybersecurity risks to management, the Audit Committee and Board of Directors to allow appropriate management of such risks through remediation or other risk mitigation activities. NTIC maintains a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. NTIC takes a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect its operations, finances, legal or regulatory compliance, or reputation. The scope of NTIC’s evaluation encompasses risks that may be associated with both its internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and employee training, education, and awareness initiatives. Role of Management Management has implemented risk management structures, policies and procedures and is responsible for NTIC’S day-to-day cybersecurity risk management. Our Information Technology Director, who brings a solid foundation in cybersecurity from prior managerial roles and specialized training, is responsible for our day-to-day assessment and management of cybersecurity risks and has helped NTIC leverage best practices consisting of real time monitoring, anti-virus and ongoing patch management for all systems. Maintenance keeps code to industry standards and aligned with best practices. Security, and threats to security, are constantly evolving. The implemented measures are flexible enough that they can be modified dynamically to respond to changes in the security landscape. The following security measures give some insight as to what has been implemented: ● Multifactor Authentication ● Phishing Simulations ● User Permissions Auditing and Tightening ● Proactive blocking of high-risk email ● Active monitoring of user sign-in ● On-premises Endpoint reduction ● Endpoint detection and response ● Licensing, Network, and hardware compliance management 36 Use of Consultants and Advisors NTIC engages various third-party cybersecurity service providers to assess and enhance its cybersecurity practices and assist with protection and monitoring of its systems and information, including with respect to protection of its e-mail, system access, network monitoring, endpoint protection, vulnerability assessments and penetration testing. NTIC engages cybersecurity consultants, auditors, and other third parties to assess and enhance its cybersecurity practices, such as a third party consulting firm to perform tabletop exercises and evaluate NTIC’s cyber processes including an assessment of its incident response procedures. Board Oversight The Board of Directors, both directly and through the delegation of responsibilities to the Audit Committee oversees the proper functioning of NTIC’s cybersecurity risk management program. In particular, the Audit Committee, which is comprised entirely of independent directors, is responsible for reviewing and discussing guidelines and policies governing the process by which senior management of NTIC assesses and manages NTIC’s exposure to risk and reviewing and discussing NTIC’s major financial risk exposures, including cybersecurity risk, and the steps management has taken to monitor and control such exposures; it being understood that it is the job of management to assess and management NTIC’s exposure to risk and that the Audit Committee’s responsibility is to discuss guidelines and policies by which risk assessment and management are undertaken. The Audit Committee additionally receives periodic updates from senior management on NTIC’s policies, processes, procedures and any significant developments related to the identification, mitigation and remediation of cybersecurity risks and is responsible for reviewing the cybersecurity disclosures required to be included in NTIC’s SEC filings. Although none of the members of the Audit Committee has any work experience, degree, or certifications related to information security or cybersecurity, the Audit Committee works closely with members of management and NTIC has engaged third-party service providers to further enhance its cybersecurity efforts. Risks from Material Cybersecurity Threats Although NTIC has taken steps to prevent and mitigate data security threats, there can be no assurance that its protective measures and those of its third party service providers will prevent or detect security breaches that could have a significant impact on NTIC’s business, reputation, operating results and financial condition. NTIC maintains cyber liability insurance; however, this insurance may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of NTIC’s systems. As of the date of this filing, NTIC has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on NTIC’s business strategy, results of operations or financial condition. Although NTIC has not experienced cybersecurity incidents that are individually, or in the aggregate, material, NTIC has experienced cyberattacks in the past, which NTIC believes have thus far been mitigated by preventative, detective, and responsive measures it has put in place. See the factors described in the " Part I. Item 1.A. Risk Factors " section of this Form 10-K for further detail about the cybersecurity risks NTIC faces. Maintaining a robust information security system is an ongoing priority for NTIC, and NTIC plans to continue to identify and evaluate new, emerging risks to data protection and cybersecurity both within NTIC and through its engagement of third-party service providers.
Company Information
| Name | NORTHERN TECHNOLOGIES INTERNATIONAL CORP |
| CIK | 0000875582 |
| SIC Description | Coating, Engraving & Allied Services |
| Ticker | NTIC - Nasdaq |
| Website | |
| Category | Non-accelerated filer Smaller reporting company |
| Fiscal Year End | August 30 |