UFP TECHNOLOGIES INC 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

UFP TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 09:37:30 EST.

Filings

10-K filed on 2025-03-03

UFP TECHNOLOGIES INC filed a 10-K at 2025-03-03 09:37:30 EST
Accession Number: 0001171843-25-001192

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy The Company employs a multi-faceted approach to assess, identify, and manage material risks from cybersecurity threats. Components of our approach include the following: ● The Company aligns its cybersecurity program with the Center for Internet Security (“CIS”) framework of Critical Security Controls ● System penetration testing is performed by rotating third-party service providers at least every 18 months. ● System vulnerability testing performed by our cybersecurity partner who is System of Organization Controls (“SOC”) 2 certified and also assists with mitigation. ● Network assessments are performed at least annually by qualified third-party service providers. ● Facilitated incident response tabletop exercises conducted at least bi-annually by qualified cybersecurity service providers. ● Monitoring of Federal government alerts (CISA, FBI) and industry threat information is performed to stay current on the newest cybersecurity threats bad actor tactics. ● Multifactor authentication is required for all authorized users to access network resources which adds a second layer of protection from unauthorized entry to our systems. ● Associates are required to complete mandatory cybersecurity awareness training annually. ● We have Certified Information System Security Professional (“CISSP”) and Information Systems Security Management Professional (“ISSMP”) certifications among our internal security personnel. The cybersecurity risk assessment process is part of the Company’s overall risk management process. Our cybersecurity partner helps us prioritize actions to improve compliance with CIS Critical Security Controls and assists with those actions. The Company also utilizes other third-party consultants and services in our process of assessing and managing cybersecurity risk for a diverse perspective of our cybersecurity practices and posture. To mitigate the risk of cybersecurity threats related to the use of third-party service providers, the Company obtains and reviews SOC reports from third parties when available, to provide assurance that the third-party has appropriate controls in place and has not identified any significant cyber issues. The Company does not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to affect our business strategy, results of operations, or financial condition. See Item 1A “Risk Factors” for a summary of certain cybersecurity risks. Governance General risk assessment and management oversight resides with the Company’s Board of Directors. The Company’s Audit Committee has oversight of financial risks and is in charge of reviewing the Company’s information security disclosures and incident reporting related to cybersecurity. The Company’s Board of Directors reviews the Company’s information security procedures and evaluates management’s assessment of materiality for cyber incidents. The Board of Directors is formally updated on cybersecurity risks no less than annually. Management is responsible for assessing and managing material risks from cybersecurity threats. This responsibility primarily resides with the VP of Information Technology and his qualified team, including dedicated cyber security personnel. The qualifications of the Information Technology team include a combination of formal education (e.g. Master’s degrees in Cybersecurity and Information Assurance); CISSP and ISSMP certifications and, over 100 years of combined Information Technology experience. Management’s process for monitoring prevention, detection, mitigation, and remediation of cybersecurity incidents is summarized above in the Risk management and strategy section . 18

Company Information