Loar Holdings Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Loar Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 09:00:24 EDT.

Filings

10-K filed on 2025-03-31

Loar Holdings Inc. filed a 10-K at 2025-03-31 09:00:24 EDT
Accession Number: 0000950170-25-047242

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybe rsecurity. Our information technology (IT) systems process, store, and transmit sensitive information, and we are heavily reliant on IT to operate our business. As such, IT security is viewed as a critical aspect of our business and one which we must continually evaluate and optimize in order to ensure ongoing effectiveness across the business in meeting the challenge of evolving cyber threats. We have incorporated a number of technical, administrative and personnel controls in order to holistically address cybersecurity threats across the business. Cybersecurity Policies and Standards We have a comprehensive collection of documented policies and standards that are leveraged to establish and affirm expectations for security controls, mitigate known cybersecurity risks and provide consistent levels of protection across the Company. Our policies and standards are effective in meeting numerous compliance requirements while simultaneously reducing duplication of controls. Incident Response Our incident response plan provides consistent guidance for preparing for cybersecurity incidents and events, establishes clear ownership of roles and responsibilities during a cyber incident, and has inter-dependent processes for detecting and responding to cyber incidents to include leveraging guidance from the legal team. We have retained a trusted and experienced thir d-party investigator/negotiator , and also maintain cybersecurity insurance to help mitigate the risk of a catastrophic cyber event. Technical Controls We have implemented a technical security architecture consisting of a multitude of controls to identify, protect, detect, and respond to cybersecurity events. Continually evaluating common and best practices for deploying these controls, as well as determining when new or alternative controls may be more appropriate or effective, aids in our ability to counter actions from evolving threat actors. We also leverage various sources of cyber intelligence to ensure that technical controls maintain optimal configuration and deployment models to increase control effectiveness. Third Party Security Monitoring Leveraging an industry recognized expert in cybersecurity monitoring, we have incorporated cybersecurity monitoring to increase visibility, awareness and responsiveness to cyber threat actors. Our monitoring partner is able to quickly analyze and alert us to suspicious activity, as well as take part in any active cyber investigation when necessary. The monitoring expertise provided allows us to focus on other aspects of cybersecurity while simultaneously ensuring that we are prepared to detect and respond appropriately to security incidents. Testing and Validation We have incorporated multiple avenues of control and process testing and validation across the company. Our internal audit team regularly tests controls against established policies and standards. We leverage a trusted partner for performing regular penetration tests, to include phishing simulation exercises. Our IT and security team regularly conduct control validation exercises for each of the business units. We conduct regular incident response tabletop exercises to test and validate awareness of roles and responsibilities of incident responders across the organization and to educate individuals as to real world security incident scenarios. 29 Security Awareness All employees are required to undertake security awareness training on a number of topics to include phishing awareness, importance of cybersecurity and proper cyber hygiene, insider threat awareness and roles and responsibilities. Our IT and security teams regularly update training modules being leveraged in order to provide timely and relevant awareness, as well as to aid in better individual engagement with the training. Management of Third-Party Risks We manage third-party risks from vendors and service providers by requiring that providers comply with our cybersecurity requirements and employ appropriate security controls in accordance with local, state and Federal laws. We evaluate applicable security controls of vendors and providers prior to contracting and at least annually thereafter. We evaluate the impact of any control deficiencies or exceptions identified during the review process and consider the effectiveness of the service provider’s remediation plans and their commitment to addressing identified issues when determining continued engagement with the service provider. Board Oversight and Management’s Role Our cybersecurity program is led by our Chief Information Security Officer (CISO) at the direction of the CFO in coordination with our Director of IT. Our CISO has over 30 years of experience in cybersecurity and cyber risk management. His role includes assessing enterprise cybersecurity risks, developing policies and standards for the cybersecurity program, developing strategies for mitigating cybersecurity risks and informing senior leadership on cybersecurity related issues and activities affecting the organization. The CISO works with the IT and security team to implement cybersecurity controls across the organization. Our Board of Directors is ultimately responsible for cybersecurity risk and has delegated its oversight to the Audit Committee. The Audit Committee considers cybersecurity risks in connection with its financial and compliance risk oversight role. The Audit Committee receives updates on cybersecurity risks and key initiatives for mitigating those risks from the CISO and CFO. For more information about the potential impact of cybersecurity risks, please refer to Item 1A. Risk Factors.

Company Information