ULTRALIFE CORP 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

ULTRALIFE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:47:41 EDT.

Filings

10-K filed on 2024-03-21

ULTRALIFE CORP filed an 10-K at 2024-03-21 16:47:41 EDT
Accession Number: 0001437749-24-008872

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Securing the Company’s IT systems is integral and foundational to its everyday operations. The Company s Security Steering Committee is comprised of cross-functional executive management team members that collectively possess an extensive level of security and technology operations expertise. The mission of our Security Steering Committee is to focus on defining and deploying its information security strategy, sustaining a robust employee cyber awareness and training program, executing security engineering, providing continuous monitoring of its operations, responding and coordinating the response and investigation of cyber threats, building and testing its disaster recovery plans in support of its businesses continuity plan requirements, and developing its cyber and information security policies. The Company’s cybersecurity strategy is based on recognized best practices, standards, and frameworks for cybersecurity and information technology, including the Center for Information Security (“CIS”) Controls and National Institute of Standards and Technology (“NIST”). The strategy focuses on implementing technologies, controls, and processes to constantly monitor, identify, assess, and manage cybersecurity risks. The Company s cybersecurity program includes exercises and trainings designed to sustain a high level of cybersecurity awareness and readiness across our employee base. The Company also has a cybersecurity incident response plan that is designed to provide a framework across all functions for a coordinated identification and response to security incidents. The Company engages leading cybersecurity firms to assist with its security engineering and operations provide independent evaluations of its security posture through regular assessments and to audit and provide advice on how to make its security processes and controls more effective. Furthermore, the Company utilizes third-party service providers to perform a variety of functions to assist in operating the business. The cybersecurity risks associated with the use of certain providers are covered under a vendor management process. Depending on the nature of the services provided, the sensitivity and/or quantity of information processed, the vendor management process may include reviewing cybersecurity practices of these providers, contractually imposing obligations on the provider, inspecting independently audited reports, and/or conducting its own security assessments of their services. The Company s Board of Directors has ultimate oversight of the Company s cybersecurity risk. Management updates the Board of Directors on the Company’s cybersecurity and information security posture at least quarterly at the Company s board meetings, or more frequently as determined to be necessary or advisable. These updates include a review of cybersecurity incidents determined to have a moderate to high business impact, even if immaterial to the Company as a whole. The Audit Committee has responsibility for assisting the Board in the review and oversight of risks affecting the Company, and oversees the enterprise risk management process, which includes, with the assistance of senior management, assessing the Company s exposure to cybersecurity risk and the effectiveness of the Company s processes and controls to address and respond to those risks. Management is responsible for hiring appropriate personnel, integrating cybersecurity considerations into the Company s overall risk management strategy, and for communicating key priorities to employees, as well as for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Notwithstanding the focus and emphasis on cybersecurity, the Company has experienced and will continue to experience cybersecurity incidents, and there can be no guarantee that future incidents will not have a material adverse effect on its business. See “Risk Factors - Breaches in security, whether cyber or physical, and related disruptions and/or our inability to prevent or respond to such breaches, could diminish our ability to generate revenues or contain costs, compromise our assets, and negatively impact our business in other ways” for more information on the Company’s cybersecurity risks. 25

Company Information