UFP TECHNOLOGIES INC 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

UFP TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 09:38:27 EST.

Filings

10-K filed on 2024-02-29

UFP TECHNOLOGIES INC filed an 10-K at 2024-02-29 09:38:27 EST
Accession Number: 0001171843-24-001078

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy The Company employs a multi-faceted approach to assess, identify, and manage material risks from cybersecurity threats. Components of our approach include the following: The use of a cyber risk matrix that assesses the likelihood and impact of threats and risks identified in the Company s hardware, software, and data systems. Threats are ranked by potential severity and mitigation / remediation efforts are tracked. Matrix is updated on a semi-annual basis and as new risks are identified. System penetration testing is performed by rotating third-party service providers at least every 18 months. System vulnerability testing is performed by the Company monthly. Network assessments are performed at least annually by qualified third-party service providers. Monitoring of Federal government alerts (CISA, FBI) and industry threat information is performed to stay current on the newest cybersecurity threats bad actor tactics. Multifactor authentication is required for all authorized users to access network resources which adds a second layer of protection from unauthorized entry to our systems. The cybersecurity practices and controls are derived from multiple recognized cybersecurity frameworks to meet the evolving needs of our organizations. 17 The cybersecurity risk assessment process is part of the Company s overall risk management process. As noted above, the Company utilizes third-party consultants and services in our process of assessing and managing cybersecurity risk. To mitigate the risk of cybersecurity threats related to the use of third-party service providers, the Company obtains and reviews System of Organization Controls (SOC) reports from third parties when available, to provide assurance that the third-party has appropriate controls in place and has not identified any significant cyber issues. The Company does not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to affect our business strategy, results of operations, or financial condition. See Item 1A Risk Factors for a summary of certain cybersecurity risks. Governance While general risk assessment and management oversight resides with the Company s Audit Committee, oversight of risks from cybersecurity threats resides with our Board of Directors. The Company s Audit Committee is in charge of reviewing the Company s information security disclosures and incident reporting related to cybersecurity. The Company s Board of Directors is in charge of reviewing the Company s information security procedures and evaluating management s assessment of materiality for cyber incidents. The Board of Directors is formally updated on cybersecurity risks by the VP of Information Technology no less than annually. Management is responsible for assessing and managing material risks from cybersecurity threats. This responsibility primarily resides with the VP of Information Technology and his qualified team, including dedicated cyber security personnel. The qualifications of the Information Technology team include a combination of formal education (e.g. degrees in Information Assurance, Computer Information Systems, Computer Networking, and current enrollment in a Cyber Security degree program); current trainings and certifications in systems, network and cybersecurity; and, over 100 years of combined Information Technology experience. Management s process for monitoring prevention, detection, mitigation, and remediation of cybersecurity incidents is summarized above in the Risk management and strategy section .

Company Information