Mistras Group, Inc. 10-K Cybersecurity GRC - 2025-03-11

Page last updated on March 11, 2025

Mistras Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-11 16:52:39 EDT.

Filings

10-K filed on 2025-03-11

Mistras Group, Inc. filed a 10-K at 2025-03-11 16:52:39 EDT
Accession Number: 0001436126-25-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We prioritize the protection of our data assets, the private data of our employees, customers, and vendors, and personal information. To assess, identify, and manage the risks of cybersecurity threats to our information systems and the associated costs, we maintain a robust cybersecurity program that is integrated into the Company’s overall Enterprise Risk Management strategy. We understand that threats from hackers and other cyber criminals continues to adapt and become more sophisticated, and so must our response to these threats. Governance Our Board is responsible for oversight of our cybersecurity program. The Audit Committee, Enterprise Risk Committee, and the Information Technology Leadership Team support the Board in the oversight of our information security program and are focused on cybersecurity and data privacy ris k, including compliance with all applicable laws and regulations, incident response planning, timely identification and assessment of incidents, incident recovery and business continuity considerations. Our cybersecurity risk management and internal controls program are aligned to ISO27001 Standards and the National Institute of Standards and Technology (NIST) framework. As part of our cybersecurity program management activities and our continuing efforts to evaluate and enhance the effectiveness of our cybersecurity policies and procedures, we actively engage internal and prominent external experts, as well as industry participants. Our cybersecurity program is managed by the Chief Information Officer who has biannual meetings with the Audit Committee and provides periodic reports and updates concerning our cybersecurity program to our Chief Executive Officer and other members of our senior management, as appropriate. These reports include updates on our cyber risk and threats, the status of projects to strengthen our information network and data security, assessments of our information security program, and the emerging threat landscape. We have established governance committees to provide us with cybersecurity oversight with supportive roles to advance the effectiveness of our cybersecurity program. The Chief Information Officer has over 20 years of IT leadership and cybersecurity experience, and the Information Technology Leadership Team overall has a combined fifteen years of cybersecurity experience. The Chief Information Officer and members of the Information Technology Leadership Team maintain industry recognized credentials relevant to their roles and stay informed on the latest trends and technologies. The Chief Information Officer manages both an Information Security team and an IT Risk team within the Department of Information Technology. The IT Risk team works closely with our Data Privacy Officer for governance and compliance related to regulations and frameworks for data classification, data privacy, handling of private data and controlled unclassified information, and internal policies and procedures. The Cyber Security team is responsible for identifying and implementing technologies to mitigate IT risk, enhance data security, and identify and defend against attacks. Both teams work closely together to establish the cybersecurity policies for the Company, evaluate the current risk profile, and to prevent, investigate, mitigate, and remediate any cyber-attacks on the Company. Risk Management and Strategy The IT Risk team uses an asset-based risk approach for evaluating cybersecurity risks and appropriate risk mitigation. All IT assets are reviewed against a broad range of risks twice a year and are evaluated for likelihood of occurrence and impact should they occur. These risks are then mapped to our global inventory of systems and the type of data as well as the number of systems to which a risk applies are evaluated. These factors are used to determine a risk score for each of the reviewed risks, and mitigations are subsequently applied to reduce those risk scores to determine the areas of focus for increasing mitigations. This exercise is logged biannually to monitor improvement. We have several physical, automated, and administrative controls in place to mitigate the success and extent of any cyber breaches. Our controls are designed to require review of tasks which may occur in the normal course of business but are also common vectors of attack. Automated controls are implemented in all cases where one is feasible, and in other cases standard procedures or documented instructions are in place to ensure that actions are proper and approved before they occur. Policies related to cybersecurity risks are documented, reviewed annually, and published internally, which define the correct processes for identifying, containing, remediating, and responding to cybersecurity incidents. Our data protection policies define the establishment of the classification of types of data. Based upon this data classification, we determine an incident’s materiality and establish the appropriate response, the incident management team, and the communications required to be distributed to third parties. Incident management policies are in place to establish the proper communication channels and responsible parties for different levels of materiality of an incident. We practice these policies and procedures in a tabletop or simulated fashion multiple times annually. Each employee plays a role in safeguarding our data assets, and the protection of our data is ingrained in every employee’s day to day activities. Employees must participate in annual cyber security training. Simulated testing occurs multiple times throughout the year, including drop testing and SPAM / PHISHING campaigns, and the results are tracked for compliance and we address any weaknesses identified in such trainings and testings as necessary. The Information Security team performs internal threat hunting, vulnerability scanning, log aggregation, and identity monitoring on an on-going basis. Web site, code, and configuration vulnerability scans are performed as necessary to ensure that changes do not introduce vulnerabilities into our systems. Information Security and IT Risk personnel receive regular training to ensure these individuals have up-to-date expert knowledge. To supplement our cybersecurity risk assessment, identification, management, and mitigation efforts, we engage third party cyber security experts. Cyber security assessments are performed at least annually, results are documented and reviewed, and mitigation plans are put in place to reduce any threats identified. The classification of data processed by any system is considered when implementing mitigations. We recognize the importance of overseeing and identifying material risks from cybersecurity threats associated with our use of third-party vendors. We perform a thorough review of the cyber security measures in place, including any documented third-party audits, for any partners who process our data. Sign-off is required by the Information Security team before agreements can be put in place. We believe that our current preventative actions and response activities provide adequate measures of protection against security breaches and generally reduce our cybersecurity risks. However, cybersecurity threats are constantly evolving, are becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. While we have implemented measures to safeguard our operational and technology systems and have established a culture of continuous learning, monitoring and improvement, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. However, as of the date of this Annual Report, management has determined that none of the cybersecurity attacks that we have experienced has resulted in a material impact on our financial condition, results of operations or business strategy. In addition, as of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. For additional information regarding how cybersecurity threats have affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see Part I, Item 1A, “Risk Factors-Risks Related to Our Business-We face risks regarding our information technology and security”.

Company Information