M-tron Industries, Inc. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

M-tron Industries, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 16:39:33 EDT.

Filings

10-K filed on 2024-03-25

M-tron Industries, Inc. filed an 10-K at 2024-03-25 16:39:33 EDT
Accession Number: 0001437749-24-009243

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity risk management is an integral part of our overall enterprise risk management efforts. No enterprise risk can be eliminated entirely. We seek to mitigate as much risk as possible and manage the remaining financial risk through a robust cyber insurance policy. The Company has chosen the National Institute of Standards (NIST) for its base framework for handling cybersecurity threats and incidents because it is compatible with certain risk management business functions required by customers and US Government oversight. Controls in the SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) catalog have been tailored-in based on governance found in SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), internally determined IT general controls and industry best practices to create a balanced approach aimed at protecting confidentiality, integrity, and availability of the Company s IT systems. The Board has delegated its primary responsibility for the oversight of cybersecurity and information technology risks, and the Company s preparedness for these risks, to the Audit Committee of the Board (the Audit Committee ). The Audit Committee has delegated the Company’s cybersecurity functions to senior management, including the Director of IT, and ensures there are sufficient budgetary resources for personnel and technology to support the necessary cybersecurity functions. The Company s cybersecurity incident response is overseen by our Director of IT, who reports directly to our President and is a member of the enterprise management team which includes our CEO. Our Director of IT has more than 15 years of experience in information system management, holds multiple university degrees in information systems and is a Microsoft Certified System Engineer. As part of its oversight responsibilities, the Audit Committee receives updates at least annually, and as requested throughout the year, on our cybersecurity practices as well as cybersecurity and information technology risks from our Director of IT. These regular updates include topics related to cybersecurity practices, cyber risks, and risk management processes, such as updates to our cybersecurity programs and mitigation strategies, and other cybersecurity developments. Senior management are responsible for incident response efforts enterprise wide with the Director of IT and the broader internal IT team focusing on cybersecurity incidents. In the event MtronPTI determines it has experienced a material cybersecurity incident, the Audit Committee will be notified and consulted regarding the incident in advance of filing a Current Report on Form 8-K. The Company’s internal IT team participates in several industry information sharing groups including the Defense Industrial Base Cybersecurity Program and The Society of Industrial Security Professionals and has also fostered local contacts with the FBI and local industry peers. The IT team monitors industry news daily and responds to threat feeds from multiple sources. To further its cybersecurity efforts, MtronPTI has partnered with several external entities including: A strategic customer who provides a network sensor monitored by its 24/7 security operations center. A commercial threat feed integrated with our perimeter security devices in partnership with the Defense Cyber Crime Center. A commercial DNS security service integrated with perimeter security devices. A commercial email threat detection service including detonation chamber services. Insider threats are monitored by an internal insider threat team. All users with email access are provided annual and quarterly cyber security training and participate in bi-weekly phishing tests to maintain continuous awareness of threats. Access to the Company’s enterprise resource planning system is limited by a second layer of access approval and authorization through the corporate controller. Endpoint detection and response is centrally managed as is endpoint flaw detection and remediation. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Cybersecurity risks and cybersecurity incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results in this Report. 15 Table of Contents

Company Information