NACCO INDUSTRIES INC 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

NACCO INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:49:45 EST.

Filings

10-K filed on 2025-03-05

NACCO INDUSTRIES INC filed a 10-K at 2025-03-05 16:49:45 EST
Accession Number: 0000789933-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity continues to be a key governance priority for us. NACCO maintains a cybersecurity program that is aligned with our business and has established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, which have been integrated into our overall risk management processes and governance structure. We have implemented and invested in, and will continue to implement and invest in, controls, technologies, and resources (both internal and external) that are designed to identify, protect against, detect, respond to and mitigate cybersecurity risks, in alignment with frameworks established by the National Institute of Standards and Technology. These include, but are not limited to, internal reporting mechanisms, monitoring and detection tools, threat intelligence, and general and role-based training. NACCO’s commitment to cybersecurity emphasizes cultivating a security-minded culture through education and training that reflect best practices and improved cybersecurity awareness. We also maintain third party management processes to identify and manage the cybersecurity risks associated with third party service providers. We periodically evaluate our cybersecurity program internally and by engaging with consultants to conduct reviews and assessments of the program. Such reviews and assessments may include penetration testing, maturity assessments as well as table-top and other exercises with subsequent remediation of key findings. Additionally, we have a Cybersecurity Task Force in place that is comprised of individuals across various departments within our organization including information systems, legal, finance, human resources and internal audit which meets regularly to further advance our cybersecurity strategy. Our Board of Directors (Board) oversees NACCO’s risk management. Our full Board regularly reviews information provided by management to oversee risk identification, risk management and risk mitigation strategies. The Audit Review Committee assists the Board with cybersecurity risk oversight. The Audit Review Committee is responsible for regularly reviewing and discussing with management risk exposure relating to cybersecurity, which includes reviewing the state of our cybersecurity program and emerging cybersecurity developments and threats, as well as the steps management has taken to monitor and mitigate such exposure. In 2024, our Board and the Audit Review Committee received periodic updates throughout the year on cybersecurity matters and these updates are part of their standing agendas. Our Chief Information Security Officer (CISO) leads NACCO’s cybersecurity program and is responsible for the management of our cybersecurity risks. The CISO has extensive cybersecurity knowledge and skills gained from over 30 years of technical and business experience, including as General Manager & President of MLMC, Vice President of Mississippi Operations and Vice President of Innovation & Technology. The CISO holds a bachelor’s degree in engineering, an executive MBA, and certifications in cybersecurity from Harvard. Additionally, the CISO successfully completed an Executive course through Northwestern’s Kellogg School of Management focused on artificial intelligence during 2024. The CISO reports directly to the President and Chief Executive Officer. The CISO manages a team of internal and external resources that have expertise and experience in cybersecurity. The CISO is informed of cybersecurity incidents by the cybersecurity team, which is generally responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. We have an established process governing our assessment, response and internal and external notifications upon the occurrence of a cybersecurity incident, including evaluation of the potential impacts of cybersecurity incidents to determine materiality. Depending on the nature and severity of an incident, this process provides for escalation procedures upon discovery of material cybersecurity risks, including notification to our executive management and/or Board. As of the date of this filing, our business strategy, results of operations, and financial condition have not been materially impacted as a result of any previously identified cybersecurity incidents; however, NACCO cannot provide assurance that we will not be materially impacted in the future by such risks or any future material incidents. For additional information regarding our cybersecurity risks, please refer to Item 1A - Risk Factors on page 18.

Company Information