Mistras Group, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Mistras Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:40:52 EDT.

Filings

10-K filed on 2024-03-11

Mistras Group, Inc. filed an 10-K at 2024-03-11 16:40:52 EDT
Accession Number: 0001436126-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We prioritize the protection of our data assets, the private data of our employees, customers, and vendors, and personal information. To assess, identify, and manage the risks of cybersecurity threats to our information systems and the associated costs, we maintain a robust cybersecurity program that is integrated into the Company s overall Enterprise Risk Management strategy. We understand that threats from hackers and other cyber criminals continues to adapt and become more sophisticated, and so must our response to these threats. Governance Our Board of Directors ( the Board ) is responsible for oversight of our information security program. The Audit Committee, Enterprise Risk Committee, and the Information Technology Leadership Team support the Board in the oversight of our information security program and are focused on cybersecurity and data privacy risk, including compliance with all applicable laws and regulations, incident response planning, timely identification and assessment of incidents, incident recovery and business continuity considerations. The Divisional Vice President of IT has a biannual meeting with the Audit Committee and other senior executives to provide an update of our current cyber security posture, IT Risk assessment, and compliance with multiple applicable regulations, frameworks, and other privacy initiatives. The Divisional Vice President of IT, along with the Information Technology Leadership Team, also meet with other senior executives every other week throughout the year to discuss on-going cyber security and governance initiatives and risk mitigations. The Divisional Vice President of IT has fifteen years of cybersecurity 29 Table of Contents experience, including ten years with Mistras Group, and the Information Technology Leadership Team has a combined fifteen years of cybersecurity experience, including a combined ten years with Mistras Group. The Divisional Vice President of IT and members of the Information Technology Leadership Team maintain industry recognized credentials relevant to their roles. The Divisional Vice President of IT manages both an Information Security team and an IT Risk team within the Department of Information Technology. The IT Risk team is responsible for governance and compliance related to regulations and frameworks for data classification, data privacy, handling of private data and CUI, and internal policies and procedures. The Cyber Security team is responsible for identifying and implementing technologies to mitigate IT risk, enhance data security, and identify and defend against attacks. Both teams work closely together to establish the cybersecurity policies for the Company, evaluate the current risk profile, and to prevent, investigate, mitigate, and remediate any cyber-attacks on the Company. Risk Management and Strategy The IT Risk team uses an asset-based risk approach for evaluating cybersecurity risks and appropriate risk mitigation. All IT assets are reviewed against a broad range of risks twice a year and are evaluated for likelihood of occurrence and impact should they occur. These risks are then mapped to our global inventory of systems and the type of data as well as the number of systems to which a risk applies are evaluated. These factors are used to determine a risk score for each of the reviewed risks, and mitigations are subsequently applied to reduce those risk scores to determine the areas of focus for increasing mitigations. This exercise is logged biannually to monitor improvement. We have several physical, automated, and administrative controls in place to mitigate the success and extent of any cyber breaches. Our controls are designed to require review of tasks which may occur in the normal course of business but are also common vectors of attack. Automated controls are implemented in all cases where one is feasible, and in other cases standard procedures or documented instructions are in place to ensure that actions are proper and approved before they occur. Policies related to cybersecurity risks are documented, reviewed annually, and published internally, which define the correct processes for identifying, containing, remediating, and responding to cybersecurity incidents. Our data protection policies define the establishment of the classification of types of data. Based upon this data classification, we determine an incident s materiality and establish the appropriate response, the incident management team, and the communications required to be distributed to third parties. Incident management policies are in place to establish the proper communication channels and responsible parties for different levels of materiality of an incident. We practice these policies and procedures in a tabletop or simulated fashion multiple times annually. Each employee plays a role in safeguarding our data assets, and the protection of our data is ingrained in every employee s day to day activities. Employees must participate in annual Cyber Security training. Simulated testing occurs multiple times throughout the year, including drop testing and SPAM / PHISHING campaigns, and the results are tracked for compliance and we address any weaknesses identified in such trainings and testings as necessary. The Information Security team performs internal threat hunting, vulnerability scanning, log aggregation, and identity monitoring on an on-going basis. Web site, code, and configuration vulnerability scans are performed as necessary to ensure that changes do not introduce vulnerabilities into our systems. Information Security and IT Risk personnel receive regular training to ensure up-to-date expert knowledge. To supplement our cybersecurity risk assessment, identification, management, and mitigation efforts, we engage third party cyber security experts. Cyber security assessments are performed at least annually, results are documented and reviewed, and mitigation plans are put in place to reduce any threats identified. The classification of data processed by any system is considered when implementing mitigations. We recognize the importance of overseeing and identifying material risks from cybersecurity threats associated with our use of third-party vendors. We perform a thorough review of the cyber security measures in place, including any documented third-party audits, for any partners who process our data. Sign-off is required by the Information Security team before agreements can be put in place. We believe that our current preventative actions and response activities provide adequate measures of protection against security breaches and generally reduce our cybersecurity risks. However, cybersecurity threats are constantly evolving, are becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. While we have implemented measures to safeguard our operational and technology systems and have established a culture of continuous learning, monitoring and improvement, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may 30 Table of Contents not always be effective. However, as of the date of this Annual Report, management has determined that none of the cybersecurity attacks that we have experienced has resulted in a material impact on our financial condition, results of operations or business strategy. In addition, as of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. For additional information regarding how cybersecurity threats have affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see Part I, Item 1A, Risk Factors Risks Related to Our Business We face risks regarding our information technology and security .

Company Information