GRESHAM WORLDWIDE, INC. 10-K Cybersecurity GRC - 2024-04-15

Page last updated on April 15, 2024

GRESHAM WORLDWIDE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-15 17:00:24 EDT.

Filings

10-K filed on 2024-04-15

GRESHAM WORLDWIDE, INC. filed an 10-K at 2024-04-15 17:00:24 EDT
Accession Number: 0000950170-24-044482

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Like all companies that utilize technology, we are subject to threats of breaches of our technology systems. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management. Our management actively oversees our risk management program, including the management of cybersecurity risks. We have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats, including those discussed in our Risk Factors. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. We have established and maintain a Cybersecurity Maturity Model Certification ( CMMC ) compliance program and are working to meet all applicable deadlines. While there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective, we believe that the Company s investment in people and technologies have contributed to a culture of continuous improvement that has put the Company in a position to protect against potential compromises and we do not believe that risks from prior cybersecurity threats have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that past or future attacks will not materially affect us, including our business strategy, results of operations, or financial condition. Risk Management and Strategy At a high level, the key objectives for the Company s cybersecurity program are to implement and sustain effective security controls to stop intrusion attempts and to maintain and continuously improve its ability to respond to attacks and incidents. Success in achieving these objectives relies upon using quality technology solutions, cultivating and maintaining a team of skilled professionals, and improving processes continuously. Our cybersecurity program in particular focuses on the following key areas: Risk Assessment : At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources, including reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants. The results of the assessment are used to develop initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader Company-wide risk assessment that are then reported to our members of management. 28 Technical Safeguards : We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning : We have established comprehensive incident response and recovery plans that guide our response in the event of a cybersecurity incident. We continuously test and evaluate the effectiveness of those plans. Vendor Risk Management : We have implemented a vendor risk management program, which is designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of on-boarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers in response to detailed questionnaires and meetings as well as information from third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Contract language, purchasing decisions, and/or technology implementation strategies are frequently adjusted as a result of this process. Education and Awareness : Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. As part of that educational process, we periodically simulate cybersecurity threats to the Company and review/assess employee responses. In this regard, the Company has implemented policies and procedures for all employees including: (i) information security/cybersecurity policies, which are internally available for all employees, (ii) information security/cybersecurity awareness training (iii) a clear escalation process which employees can follow in the event an employee notices something suspicious and (iv) ensuring that information security/cybersecurity is part of the employee performance evaluation and/or disciplinary process.

Company Information