EACO CORP 10-K Cybersecurity GRC - 2024-11-29

Page last updated on December 2, 2024

EACO CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-29 14:35:30 EST.

Filings

10-K filed on 2024-11-29

EACO CORP filed a 10-K at 2024-11-29 14:35:30 EST
Accession Number: 0001410578-24-002066

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our cybersecurity policies and processes are fully integrated into our Risk Management procedures and are based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), a toolkit for organizations to manage cybersecurity risk in its assessment of cybersecurity capabilities and in developing cybersecurity priorities. In addition to internal assessments, our cybersecurity strategy and capabilities are evaluated and audited against the NIST Framework and industry best practices by independent, third-party, leading specialists in cybersecurity. We strive to create a culture of cybersecurity resilience and awareness. This tone is continuously reinforced with our employees through education and regular testing. We continue to improve our programs and invest in the security of our systems, operations, people, infrastructure, and cloud environments. Our cybersecurity strategy seeks to follow industry best practices designed to ensure compliance with applicable global privacy and regulatory requirements. To protect our customers, we administer physical, technological and administrative controls on data privacy and security. We regularly validate our security controls by performing penetration testing, compliance audits, as well as proactive security testing to ensure our systems and controls are secure. We plan to brief the Board of Directors on our strategy and roadmap in alignment with the NIST Cybersecurity Framework and we plan to provide our Board with regular updates regarding cybersecurity risks, threat landscape and overall program progress. We believe that the risks from cybersecurity threats thus far, including any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our business, including our business strategy, financial condition or results of operations. For additional information about the cybersecurity risks, see Part I, Item 1A. " Risk Factors ," of this Annual Report. Our cybersecurity risk management procedures are focused on the following key areas: Education and Awareness We provide required security awareness education and training to our employees and contractors with system access that focuses on various aspects of the cybersecurity world. Users of our internal systems are required to complete an annual cybersecurity awareness training and are tested for awareness on a regular basis. We also provide tailored training courses to functional technology employees and employees who process personal or sensitive information. Threat Management, Incident Response, and Recovery Planning We have established and maintain a comprehensive incident response and recovery plan designed to identify, contain and eradicate cybersecurity threats, with recovery from an incident as rapidly as possible. Our information security team utilizes threat technologies and vendors 24/7 to monitor and respond to security threats. In the event of a security incident, a defined procedure outlines containment, response and immediate recovery actions. The incident response plan is tested, evaluated and updated no less than on an annual basis. Data and Consumer Privacy Our data and consumer privacy program monitors, adapts to and works diligently to comply with changes in global privacy legislation. We have implemented technical, procedural and organizational measures designed to comply with applicable data protection and consumer privacy laws. We conduct external benchmarking, as well as privacy compliance audits, to stay abreast of developing privacy laws and understand developing risks, best practices and industry trends. Third-Party Risk Management We recognize the risks associated with the use of vendors, service providers, and other third parties that provide information system services to us, process information on our behalf, or have access to our information systems. The Company has processes in place to oversee and manage these risks. We have an information risk management program that includes a vendor risk assessment process, whereby we systematically oversee and identify risks from cybersecurity threats related to our use of key third-party service providers. Cybersecurity Governance Our executive management team and Board of Directors oversee our policies with respect to risk assessment and the management of those risks that may be material to us, including cybersecurity risks. While cybersecurity resilience is the responsibility of every employee and contractor, our cybersecurity program is led by the Director of Information Technology (“Director of IT”), who reports to the President and COO. Our Director of IT has extensive experience in network engineering and cybersecurity operations from both a practical and management standpoint and attends training in cybersecurity and risk mitigation. We plan to provide our Board of Directors with a comprehensive annual report of cybersecurity risks, threat landscape, and overall program status. On an annual basis, the President also will report to the Board of Directors on various metrics on threat management, incident response and recovery planning, along with industry benchmarks.

Company Information