KADANT INC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

KADANT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 14:57:19 EST.

Filings

10-K filed on 2025-02-25

KADANT INC filed a 10-K at 2025-02-25 14:57:19 EST
Accession Number: 0000886346-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Cybersecurity is an important element of our overall enterprise risk management program. Like other global companies, we have experienced cybersecurity threats and incidents, although none to date have been material or had a material adverse effect on our business, results of operations or financial condition. We have a multilayered approach for assessing, identifying, evaluating, managing and monitoring risks related to cybersecurity threats, that is designed to help protect our information, systems, assets and operations from internal and external cybersecurity threats and help mitigate risks of cybersecurity incidents. We invest in efforts to protect, monitor, and mitigate risks from cybersecurity threats, including through our information security function, training and compliance programs, and regular employee training. As part of our enterprise risk management program, we devote significant resources to protecting the security of our computer systems, software, networks and other technology assets, and our cybersecurity risk management processes include Kadant Inc. physical, procedural and technical safeguards. Our cybersecurity policies, standards and procedures include incident response plans designed to help coordinate our response to cybersecurity incidents. We seek to enhance our policies and practices, as appropriate, to adapt to changes in regulations and evolving cybersecurity risks, including by conducting cybersecurity incident tabletop exercises with our management team. We engage external parties, including consultants, network security firms and other experts, to help us assess and enhance our cybersecurity oversight. For example, we have hired an external security vendor to conduct penetration and vulnerability testing on our networks and receive regular updates about cybersecurity risks in the industry. In order to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we perform third-party risk assessments designed to help protect against the misuse of IT by third parties and business partners and request that material third-party service providers provide us information about their security policies and procedures. We monitor cybersecurity incidents involving our third-party providers and adjust our procedures, as appropriate. In an effort to deter and detect cybersecurity threats, we require all employees who use an official company email account to conduct business to complete regular data protection and cybersecurity trainings, which cover timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting potential incidents immediately. We also use technology-based tools to mitigate risks from cybersecurity threats. As of the date of this filing, we do not believe that there currently are or have been any cybersecurity incidents, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. For more information on risks related to cybersecurity threats, please see Part I, Item 1A, “Risk Factors.” Cybersecurity Governance and Oversight Our cybersecurity program is integrated with the enterprise risk management framework and governance processes utilized by management and our board to oversee enterprise risk. Our board of directors has delegated oversight of cybersecurity risk to the risk oversight and sustainability committee to assist in fulfilling its oversight responsibilities with respect to management’s identification, prevention, evaluation, management, and monitoring of our critical enterprise risks. The risk oversight and sustainability committee receives quarterly updates from our Head of Global IT or counsel regarding cybersecurity, including updates regarding recent cybersecurity incidents in the industry and the cybersecurity threat landscape, and is notified between such updates regarding significant new cybersecurity incidents, as appropriate. The board of directors receives regular reports from the risk oversight and sustainability committee. Our cybersecurity program is overseen by our Head of Global IT, who is responsible for identifying and managing material cybersecurity risks. Our Head of Global IT oversees our global information security team ( IT Security Team ), which is responsible for leading organization-wide cybersecurity strategy, policy, standards and processes and works across relevant operating entities to assess and manage risks from cybersecurity threats. Our Head of Global IT and IT Security Team perform due diligence on the IT security systems and processes of all potential acquisition targets and have processes in place to manage post-acquisition network integration, including requiring all newly acquired companies to meet necessary security standards before they are permitted access into our IT networks or systems. The Head of Global IT’s cybersecurity experience includes managing the network, infrastructure security and a cybersecurity team of a global consumer products company with a heavy online presence and with sales of services and goods to the U.S. government. In addition, our IT Security Team consists of employees that have security certifications from reputable cybersecurity training organizations, including CompTIA, and over 20 years of combined infrastructure architecture experience, including PCI, SOC1 and SOC2 level compliance. We have also established a cross-functional Corporate Incident Response Team (CIRT) led by our General Counsel and consisting of various leaders, including our Head of Global IT, that is responsible for coordinating our response to cybersecurity incidents that present significant risk to us. The board of directors will be notified if the CIRT has been activated and provided periodic updates concerning the incident.

Company Information