SHYFT GROUP, INC. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

SHYFT GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 08:30:44 EST.

Filings

10-K filed on 2024-02-22

SHYFT GROUP, INC. filed an 10-K at 2024-02-22 08:30:44 EST
Accession Number: 0001437749-24-005136

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . We rely on information technology systems across our operations, including for management, supply chain and financial information and various other processes and transactions. Our ability to effectively manage our business depends on the security, reliability and capacity of these systems. We have established a range of security measures that are designed to protect against the unauthorized access to and misappropriation of our information, corruption of data, intentional or unintentional disclosure of confidential information, or disruption of operations. We have implemented additional controls, security processes and monitoring of our manufacturing systems. We have also implemented additional cloud security tools and governance processes for assessing, identifying and managing material risks from cybersecurity threats. In addition, we maintain an information security training program that encompasses the following areas: phishing and email security, password security, data handling security, cloud security, operational technology security processes, and cyber-incident response and reporting processes. The oversight of our cybersecurity risk management process is integrated into our overall risk management process. Through our enterprise risk management process, which involves a broad cross-functional group across many areas of expertise and is structurally independent of our business lines, we identify and assess risk and risk-mitigation actions, including with respect to cybersecurity risks. Continuing oversight of our cybersecurity risk is addressed by a group of stakeholders that includes our information technology ( IT ) and cybersecurity leadership and IT leaders within our various facilities, with cybersecurity risk input provided from this team to our senior leadership team on a regular basis. In turn, our Chief Information Officer provides key updates on risk and mitigation strategies to the Audit Committee. We rely on third-party service providers to execute certain business processes, maintain certain information systems and infrastructure, evaluate defenses, and implement recommendations. We periodically have external information security assessments performed by third parties to analyze our internal assessment results and to stay informed of information security risks. Additionally, we maintain a supplier validation process, which involves approval by our cybersecurity group for significant suppliers that will have access to any of our databases or technology. We also maintain processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. While we have experienced cybersecurity incidents in the past, to date, none have materially affected, or reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial position. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Risk Factors– More General Risks Applicable to Our Industry. Governance The Board of Directors is responsible for overseeing risk for the Company and has delegated to the Audit Committee responsibility for overseeing the cybersecurity risk management strategy for the Company. The Audit Committee reviews how we are executing against our comprehensive cybersecurity framework, including reviewing our cybersecurity reporting protocol. The Audit Committee receives regular updates on cybersecurity risks from our Chief Information Officer ( CIO ). The Audit Committee also regularly receives updates on efforts regarding data loss prevention, regulatory compliance, data privacy, threat and vulnerability management, cyber-crisis management, and other topics as applicable. Additionally, management provides the Audit Committee with a cybersecurity dashboard, which the full Board of Directors can access as well. The Company s cybersecurity program is overseen by our CIO, who is responsible for assessing and managing material risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity incidents. Our CIO has over 20 years of global automotive technology and cybersecurity experience and reports to our President and Chief Executive Officer. The Company s Security Manager reports to our CIO and is the head of our cybersecurity team. The Security Manager is responsible for assessing and managing our cyber risk management program, informs senior management, together with the CIO, regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. Our Security Manager has over 15 years of experience in technology and cybersecurity, a master s degree in information security and industry certifications, including CISSP, CDPSE, ITIL, and COBIT. 21

Company Information