SYPRIS SOLUTIONS INC 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

SYPRIS SOLUTIONS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 11:05:42 EDT.

Filings

10-K filed on 2025-03-27

SYPRIS SOLUTIONS INC filed a 10-K at 2025-03-27 11:05:42 EDT
Accession Number: 0001437749-25-009524

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a cybersecurity and information security program, which leverages the National Institute of Standards and Technology (“NIST”) 800-171. Risks from cybersecurity threats are regularly evaluated as part of our broader risk management activities and as a fundamental component of our internal control system. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers. Key personnel receive enhanced cybersecurity training regularly. Our IT team engages third-party vendors to assist with providing timely cybersecurity threat alerts in addition to monitoring cybersecurity threats and our defenses against cyberattacks. This monitoring includes the proactive identification of vulnerabilities in our systems with threat intelligence. The employees within our IT team who specialize in cybersecurity operations are responsible for coordinating and overseeing the activities of these third-party vendors. Sypris has a managed service provider (MSP) for incident response of cybersecurity threats and cybersecurity incidents and is managed by the Chief Information Security Officer (“CISO”), who coordinates activities and monitors response performance. The CISO reports to the VP of Administration who prepares briefings to the Board of Directors, and other relevant committees. Our IT team evaluates security alerts received from our MSP, and any alert or threat that the MSP or the IT team identifies as a cybersecurity incident (such as a data security breach) is promptly escalated for further assessment and immediate remediation. Upon confirmation that a cybersecurity incident has occurred, our IT team will coordinate with our MSP and representatives from other internal departments, the VP of Administration, legal counsel and other service providers as needed. The VP of Administration directs the development of a coordinated response strategy, entailing risk containment, notification processes, system restoration, incident documentation and assessment. The VP of Administration will notify the other members of our senior management team and the Chairman of the Finance and Audit Committee and the Independent Directors of our Board of Directors as needed. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to affect us, including our business strategy, results of operations or financial condition. We and our third-party service providers have frequently been the target of cybersecurity threats and expect them to continue, and for an additional description of these cybersecurity risks and potential related impacts on us, see “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K. 18 Governance Board of Directors and Board Committees. In accordance with our Guidelines on Corporate Governance, the Board of Directors, both directly and through its committees, oversees the proper functioning of our risk management process. In particular, the Audit and Finance Committee assists the Board in its oversight of management’s responsibility to assess, manage and mitigate risks associated with the Company’s business and operational activities, including data privacy and cybersecurity concerns. The Board and Committee each meet at regularly scheduled and special meetings throughout the year at which meetings management reports to the Board concerning the results of its risk management activities, as well as external factors that may change the levels of business risk to which we are exposed. Specifically, the Audit and Finance Committee receives regular updates from the VP of Administration, as often as necessary but at least once per year, with respect to our cybersecurity threats and responses to any cybersecurity incidents . Management ’ s Responsibilities. Management has implemented risk management structures, policies and procedures, and manages our risk exposure on a day-to-day basis. Accordingly, management assesses and responds to cybersecurity threats as part of our ongoing risk assessment and as an internal control over financial reporting. The VP of Administration directs our cybersecurity operations and risk responses. The CISO, who has 30 years of IT architecture, infrastructure and operations experience working directly with the MSP. The CISO reports to the VP of Administration who has 30 years of experience in all facets of IT, business process and controls. The VP of Administration reports to the President, CEO and Chairman of the Board of the Company and reports regularly to the Audit Committee and to the full Board of Directors, providing insights into our cybersecurity posture, incidents, and remediation efforts. VP of Administration meets with the MSP at least once every quarter to review and assess cybersecurity incidents and non-incident threats (and response measures undertaken) to determine if any adjustment to our cybersecurity managed services is required . 19

Company Information