NACCO INDUSTRIES INC 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

NACCO INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 16:48:26 EST.

Filings

10-K filed on 2024-03-06

NACCO INDUSTRIES INC filed an 10-K at 2024-03-06 16:48:26 EST
Accession Number: 0000789933-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY The Company maintains a cybersecurity program that is aligned with its business and has established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, which have been integrated into its overall risk management processes and governance structure. The Company has implemented and invested in, and will continue to implement and invest in, controls, technologies, and resources (both internal and external) that are designed to identify, protect against, detect, respond to and mitigate cybersecurity risks, in alignment with frameworks established by the National Institute of Standards and Technology. These include, but are not limited to, internal reporting mechanisms, monitoring and detection tools, threat intelligence, and general and role-based training. The Company also maintains third party management processes to identify and manage the cybersecurity risks 29 Table of Contents associated with third party service providers. The Company periodically evaluates its cybersecurity program internally and by engaging with consultants to conduct reviews and assessments of the program. Such reviews and assessments may include penetration testing, maturity assessments as well as table-top and other exercises with subsequent remediation of key findings. Additionally, the Company has a Cybersecurity Task Force in place that is comprised of individuals across various departments within the organization including information systems, legal, finance, human resources and internal audit which meets regularly to further advance the Company s cybersecurity strategy. The Board of Directors (the Board ) oversees NACCO’s risk management. The full Board regularly reviews information provided by management to oversee risk identification, risk management and risk mitigation strategies. The Audit Review Committee assists the Board with cybersecurity risk oversight. The Audit Review Committee is responsible for regularly reviewing and discussing with management risk exposure relating to cybersecurity, which includes reviewing the state of the Company’s cybersecurity program and emerging cybersecurity developments and threats, as well as the steps management has taken to monitor and mitigate such exposure. In 2023, the Board and the Audit Review Committee received periodic updates throughout the year on cybersecurity matters and these updates are part of their standing agendas. The Company s Chief Information Security Officer (“CISO”) leads the Company s cybersecurity program and is responsible for the management of its cybersecurity risks. The CISO has extensive cybersecurity knowledge and skills gained from over 30 years of technical and business experience, including as General Manager & President of MLMC, Vice President of Mississippi Operations and Vice President of Innovation & Technology. The CISO holds a bachelor s degree in engineering, an executive MBA, and certifications in cybersecurity from Harvard. Additionally, the CISO is currently enrolled in an Executive course through Northwestern s Kellogg School of Management focused on artificial intelligence ( AI ). The CISO reports directly to the President and Chief Executive Officer. The CISO manages a team of internal and external resources that have expertise and experience in cybersecurity. The CISO is informed of cybersecurity incidents by the cybersecurity team, which is generally responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Company has an established process governing its assessment, response and internal and external notifications upon the occurrence of a cybersecurity incident, including evaluation of the potential impacts of cybersecurity incidents to determine materiality. Depending on the nature and severity of an incident, this process provides for escalation procedures upon discovery of material cybersecurity risks, including notification to the Company s executive management and/or Board. As of the date of this filing, the Company s business strategy, results of operations, and financial condition have not been materially impacted as a result of any previously identified cybersecurity incidents; however, we cannot provide assurance that they will not be materially impacted in the future by such risks or any future material incidents. For additional information regarding the Company s cybersecurity risks, please refer to “Item 1A - Risk Factors on page 19. 30 Table of Contents

Company Information