VIRCO MFG CORPORATION 10-K Cybersecurity GRC - 2024-04-12

Page last updated on April 14, 2024

VIRCO MFG CORPORATION reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-12 14:15:49 EDT.

Filings

10-K filed on 2024-04-12

VIRCO MFG CORPORATION filed an 10-K at 2024-04-12 14:15:49 EDT
Accession Number: 0001628280-24-016004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our business is substantially dependent upon our computer systems, devices and networks to collect, process and store the data necessary to conduct most aspects of our business. We have developed and maintain a cybersecurity program, which includes people, processes, and technology aimed at defending our computer systems, devices and networks against increasingly sophisticated threats. Cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity risk management program is designed to align with industry best practices and is fundamentally based on the framework established by the National Institute of Standards and Technology ( NIST ) for handling cybersecurity threats and incidents, including threats and incidents associated with the use of applications and services provided by third parties. The NIST framework facilitates coordination across different departments of the Company and includes steps for assessing the severity of a cybersecurity threat, identifying the source of a threat, including whether the threat is associated with a third-party service provider, implementing countermeasures and mitigation strategies, and informing management and the Board of Directors of material cybersecurity threats, incidents, and impact. Our cybersecurity team is under the direction of the Chief Operations Officer and VP of Technology and Information Security, who are responsible for assessing, deploying, and managing the cybersecurity risk management program. Recognizing the complexity and evolving nature of cybersecurity threats, the cybersecurity team engages with a range of independent third party experts, including cybersecurity assessors and consultants in evaluating and testing our risk management systems. Our collaboration with these independent third parties includes regular threat assessments, such as penetration tests and table-top exercises, and consultation on security enhancements. In addition, the cybersecurity team provides training to applicable members and ongoing cybersecurity education. The Company also maintains cyber risk insurance to help cover costs associated with data breaches and cyberattacks. We evaluate and assess the capabilities of third-party service providers depending on the 22 Table of Contents products and services provided and the potential for data exchange and technology risk. We also receive and review independent assessments of security threats from our major service providers. We regularly assess, identify and manage our material risks from cybersecurity threats by employing the following: Identification of critical systems we seek to identify which operational or information technology, if compromised or exploited, would result in operational disruption or data compromise. We aim to protect the entire environment at an enterprise level where practical, combined with additional layered, risk-based controls designed to safeguard against cybersecurity threats. This strategic, defense-in-depth, and risk-based approach to cybersecurity provides a methodology designed to identify, protect, detect, respond, and recover from cybersecurity incidents. Network segmentation we use a combination of firewalls and routers to provide network segmentation seeking to provide us with network zone protection. Access controls we leverage several security capabilities to attempt to enforce access, authorization and authentication to relevant systems, technology, and controls. A least-privilege methodology is applied for localized client workstations, servers, and applications. Security capabilities for access control include physical, administrative, and technical controls that combine to provide a defense-in-depth approach designed to protect our cyber assets from unauthorized use. Continuous monitoring, detection, and auditing we employ various technologies, tactics, and procedures aimed to continuously monitor, baseline, and detect threats, and audit our network and systems. In addition, we use a combination of technology tools with outside managed security service providers designed to capture, analyze and respond to security anomalies. Patch management we use a network vulnerability scanning tool that continually scans, and reports identified vulnerabilities in servers and workstations in certain networks. Vulnerability scanner reports are used to drive patching and remediation efforts and are also used as a tool to evaluate the effectiveness of efforts to seek to ensure patches are applied timely. Application and infrastructure subject matter experts subscribe to various third-party vendor security notifications to receive proactive notifications on, among other things, bugs, security flaws and mitigations, related to operational and information systems. Cybersecurity Governance Our Board of Directors oversees the execution of our cybersecurity strategy and the assessment of cybersecurity risks, along with the actions that we take seeking to mitigate and address those cybersecurity risks. The Board has delegated primary oversight of cybersecurity risks to the Executive Team and Lead Independent Director, who also reports material cybersecurity risk to the full Board of Directors as necessary. The Board of Directors is responsible for ensuring that management has processes in place that are designed to identify and evaluate cybersecurity risks to which the Company is exposed and implement programs to manage cybersecurity risks and mitigate cybersecurity incidents. Management under the Chief Operations Officer and VP of Technology and Information Security are responsible for identifying, considering, and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential risk exposures are monitored, implementing appropriate mitigation measures and maintaining cybersecurity programs. The Chief Operations Officer and VP of Technology and Information Security and cybersecurity team members are experienced information security professionals, many of whom hold professional certifications and many years of experience in the field. The Chief Operations Officer and VP of Technology and Information Security receive periodic reports from the cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Appropriate procedures for communication to the Executive Team are also built into the incident response plan. The Chief Operations Officer and VP of Technology and Information Security provide regular updates to the Executive Team and the full Board of Directors on the Company s cybersecurity risk management program, material cybersecurity risks, and mitigation strategies. Management provides the Executive Team with cybersecurity reports that cover, among other topics, third-party assessments of the Company s cybersecurity risk management program, developments in cybersecurity, and updates to the Company s cybersecurity risk management program and mitigation strategies. Cybersecurity Threats As of the date of this Annual Report, we are not aware of any cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. We acknowledge that 23 Table of Contents cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See “Item 1A. Risk Factors - Failure in our information technology and storage systems or cybersecurity incidents could adversely affect our business. " for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Company Information