SIFCO INDUSTRIES INC 10-K Cybersecurity GRC - 2024-12-23

Page last updated on December 26, 2024

SIFCO INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-23 21:24:39 EST.

Filings

10-K filed on 2024-12-23

SIFCO INDUSTRIES INC filed a 10-K at 2024-12-23 21:24:39 EST
Accession Number: 0000090168-24-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have processes in place aimed at assessing, identifying, and managing material risks from cybersecurity threats. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our cybersecurity risk management program include: - periodic risk assessments designed to help identify material cybersecurity risks to our critical systems and information; - a formal register documenting and mitigating identified risks, reviewed by management on a quarterly basis; - a data protection team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents; - the regular use of external service providers to independently assess and test security posture, as well as to otherwise assist with aspects of our security processes; - cybersecurity awareness training of our employees, including incident response personnel and senior management; - a written cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, including data storage and restoration and disaster recovery plans; and - a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile. As reported on Forms 8-K filed January 6, 2023 and February 10, 2023, the Company became aware of unauthorized access to the Company’s systems on December 30, 2022. The Company’s domestic operations were impacted by the Cyber Incident, which resulted in production delays and delayed shipments due to information access limitations. The Company immediately initiated response protocols and an investigation, engaging cyber security experts to assist with the assessment of the incident and to help determine what data was impacted. The Company has since completed data recovery and restoration from the cyber incident. See Note 12 - Commitments and Contingencies of the Notes to Consolidated Financial Statements . Except for the above incident, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors-Risks Related to Our Business and Operations.” Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and maintains oversight of risk assessment and risk management, including cybersecurity and other information technology risks. In addition, our Board of Directors oversees management’s implementation of our cybersecurity risk management program. The Board of Directors receives periodic reports from management on our cybersecurity risks. In addition, management updates the Board of Directors, where it deems appropriate, regarding cybersecurity incidents it considers to be significant or potentially significant. These presentations may cover a range of topics, including: - the current cybersecurity landscape and best practices for mitigating emerging threats; - progress on cybersecurity projects; - incident reports; - updates from past event(s); and - adherence to regulatory requirements and/or industry standards, as appropriate. Our management team, including our Data Protection Officer and external counsel, are responsible along with the Company’s Board of Directors for assessing and managing our material risks from cybersecurity threats. Our Data Protection Officer has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Data Protection Officer has extensive experience in information technology, including prior experience in cybersecurity architecture. We have a diverse information security team, including external consultants, with varying backgrounds and experience and levels of information security certification. Our management team takes steps to remain informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information