MATTHEWS INTERNATIONAL CORP 10-K Cybersecurity GRC - 2024-11-22

Page last updated on November 22, 2024

MATTHEWS INTERNATIONAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-22 14:08:34 EST.

Filings

10-K filed on 2024-11-22

MATTHEWS INTERNATIONAL CORP filed a 10-K at 2024-11-22 14:08:34 EST
Accession Number: 0000063296-24-000094

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Program Matthews depends on integrated information systems to conduct its business. Accordingly, the Company has implemented a cybersecurity program designed to protect its information systems and to assess, identify and manage material risks from cybersecurity threats. This comprehensive program addresses acceptable use, risk management, data privacy, incident management and reporting, identity and access management, third-party management, physical security, and vulnerability identification. The Company also deploys cybersecurity training courses to all employees, maintains an Incident Response Plan, establishes cybersecurity contingency plans and conducts phishing testing on a regular basis. Matthews continues to invest in internal and external tools to better detect, patch, monitor, and restore systems. Further, the Company maintains cybersecurity insurance coverage intended to protect against loss of business and other related consequences resulting from cyber incidents. Risk Management and Strategy Matthews uses a risk-based approach to manage risks from cybersecurity threats according to the nature and sensitivity of the data and the criticality of the systems to operations. The Company also maintains a vulnerability management program where cybersecurity risks are identified, classified, and addressed and periodically conducts penetration testing through an independent third-party assessor. The Company conducts cybersecurity tabletop exercises to enhance mitigating controls and incident response preparedness. When management deems it advisable, the Company engages third parties, including consultants, advisors, and auditors, to assist with security and maturity assessments, security operations, employee training and awareness, compliance, penetration testing, network and endpoint monitoring, threat intelligence, and vulnerability management. 17 ITEM 1C. CYBERSECURITY, (continued) Matthews uses a number of means to assess cyber risks related to its third-party service providers, including processes governing interconnections with third-party systems and regular review of critical vendors’ cybersecurity positions for potential risks. Third-party service provider assessments begin during onboarding and continue throughout the relationship, based upon an assessment of third-party risk. Those assessments include review of System and Organization Controls (“SOC”) 1 and SOC 2 reports (as each such report is defined by the American Institute of Certified Public Accountants), and direct interaction with key vendors to assess and address risks. Contracts with third-party service providers contain appropriate protective provisions for the Company including audit rights, third-party notification obligations, and security requirements for the retention of data. Matthews maintains a cybersecurity Incident Response Plan. In the event of a cybersecurity incident, designated personnel including members of Information Technology (“IT”), finance, legal, communications, human resources and any affected unit or department are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. Matthews has experienced cyber-attacks in the past and, while none of these cyber-attacks resulted in a material disruption to the Company’s business, Matthews may experience additional cyber-attacks in the future. As of the filing of this Form 10-K, the Company is not aware of any such attacks that have occurred since the beginning of fiscal 2024 that have materially affected, or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. While the Company has implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, refer to Item 1A - “Risk Factors - The Company relies on information technology to operate the Company’s business. Security breach incidents and breakdowns of information technologies, or failure to comply with laws governing data privacy and data protection, could disrupt the Company’s operations, subject the Company to legal claims, and impact the Company’s financial results.” Governance Board of Directors Oversight Cybersecurity risks are overseen by the Audit Committee of the Board of Directors of the Company. The Audit Committee and the Board of Directors oversee and periodically review the design and effectiveness of the Company’s cybersecurity program, as well as its contingency plans. The Chief Information Officer (“CIO”) and Director of IT Security provide regular reports to the Audit Committee, which include information about cyber-risk management, the effectiveness of the Company’s cybersecurity framework, direct or emerging threats to the Company, program maturity and strategy, third-party risk management, and benchmarking against its industry peers. Management’s Role Managing Risk Matthews’ CIO and Director of IT Security are primarily responsible for assessing and managing material risks from cybersecurity threats. The CIO reports directly to the Company’s Chief Financial Officer, and the Director of IT Security reports to the CIO. The CIO, Director of IT Security, and the Company’s cybersecurity team have decades of experience in various roles managing information security, developing cybersecurity strategy, and implementing, planning and operationalizing a comprehensive global IT infrastructure. The Director of IT Security is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents. With the support of legal, the Director of IT Security is responsible for global regulatory compliance related to cybersecurity regulations and industry standards. The Director of IT Security also advises on the implementation of cybersecurity risk management in the Company’s products and services as they are being developed. As part of its risk management process, the Matthews management team also identifies, assesses and evaluates risks impacting the Company’s operations, including those risks related to cybersecurity, and raises them for internal discussion, and where it is determined to be appropriate, issues are also raised to the Board of Directors for consideration. 18
ITEM 1C. CYBERSECURITY, (continued) Matthews uses a number of means to assess cyber risks related to its third-party service providers, including processes governing interconnections with third-party systems and regular review of critical vendors’ cybersecurity positions for potential risks. Third-party service provider assessments begin during onboarding and continue throughout the relationship, based upon an assessment of third-party risk. Those assessments include review of System and Organization Controls (“SOC”) 1 and SOC 2 reports (as each such report is defined by the American Institute of Certified Public Accountants), and direct interaction with key vendors to assess and address risks. Contracts with third-party service providers contain appropriate protective provisions for the Company including audit rights, third-party notification obligations, and security requirements for the retention of data. Matthews maintains a cybersecurity Incident Response Plan. In the event of a cybersecurity incident, designated personnel including members of Information Technology (“IT”), finance, legal, communications, human resources and any affected unit or department are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. Matthews has experienced cyber-attacks in the past and, while none of these cyber-attacks resulted in a material disruption to the Company’s business, Matthews may experience additional cyber-attacks in the future. As of the filing of this Form 10-K, the Company is not aware of any such attacks that have occurred since the beginning of fiscal 2024 that have materially affected, or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. While the Company has implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, refer to Item 1A - “Risk Factors - The Company relies on information technology to operate the Company’s business. Security breach incidents and breakdowns of information technologies, or failure to comply with laws governing data privacy and data protection, could disrupt the Company’s operations, subject the Company to legal claims, and impact the Company’s financial results.” Governance Board of Directors Oversight Cybersecurity risks are overseen by the Audit Committee of the Board of Directors of the Company. The Audit Committee and the Board of Directors oversee and periodically review the design and effectiveness of the Company’s cybersecurity program, as well as its contingency plans. The Chief Information Officer (“CIO”) and Director of IT Security provide regular reports to the Audit Committee, which include information about cyber-risk management, the effectiveness of the Company’s cybersecurity framework, direct or emerging threats to the Company, program maturity and strategy, third-party risk management, and benchmarking against its industry peers. Management’s Role Managing Risk Matthews’ CIO and Director of IT Security are primarily responsible for assessing and managing material risks from cybersecurity threats. The CIO reports directly to the Company’s Chief Financial Officer, and the Director of IT Security reports to the CIO. The CIO, Director of IT Security, and the Company’s cybersecurity team have decades of experience in various roles managing information security, developing cybersecurity strategy, and implementing, planning and operationalizing a comprehensive global IT infrastructure. The Director of IT Security is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents. With the support of legal, the Director of IT Security is responsible for global regulatory compliance related to cybersecurity regulations and industry standards. The Director of IT Security also advises on the implementation of cybersecurity risk management in the Company’s products and services as they are being developed. As part of its risk management process, the Matthews management team also identifies, assesses and evaluates risks impacting the Company’s operations, including those risks related to cybersecurity, and raises them for internal discussion, and where it is determined to be appropriate, issues are also raised to the Board of Directors for consideration. 18

Company Information