TRANSCAT INC 10-K Cybersecurity GRC - 2025-05-27

Page last updated on May 28, 2025

TRANSCAT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-27 16:06:47 EDT.

Filings

10-K filed on 2025-05-27

TRANSCAT INC filed a 10-K at 2025-05-27 16:06:47 EDT
Accession Number: 0001437749-25-018483

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy. We have processes for assessing, identifying, and managing cybersecurity threats, and cybersecurity is an integral part of our overall enterprise risk management program which is overseen by our Audit Committee and the Board of Directors. Our strategy includes a comprehensive cybersecurity framework, utilizing advanced technologies and methodologies, such as cloud migrations and deployment of threat detection tools to mitigate potential risks. Continuous risk assessments help us better refine our strategy, guiding the deployment of technical safeguards and shaping our incident response plans. For acquired companies, our integration strategies prioritize establishing comprehensive timelines for harmonizing information security, data privacy, and cybersecurity practices. This includes a strong focus on aligning employee education programs to ensure a seamless transition and uphold security and privacy standards across our entities. We take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect our operations, finances, legal or regulatory compliance, or reputation. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third -party service providers, ensuring the service providers adhere to our security standards, thereby safeguarding our integrated operations. The strategic migration of our data centers and infrastructure to secure cloud environments, coupled with the implementation of targeted technical cybersecurity measures, underscores our dedication to establishing foundational security across our users, applications, data, systems, and networks. We have established a comprehensive incident response plan to swiftly address and recover from cybersecurity incidents, minimizing operational impact. We conduct regular trainings and simulations to enhance our team’s awareness and preparedness against cyber threats. Our proactive approach to addressing identified vulnerabilities affirms the continuous improvement of our security posture. Use of Consultants and Advisors. We engage various third -party cybersecurity service providers to assess and enhance our cybersecurity practices and assist with the protection and monitoring of our systems and information. This encompasses a range of services, including network monitoring, endpoint protection, vulnerability assessments, and penetration testing. Additionally, we engage cybersecurity consultants, auditors, and other third parties, such as a third -party consulting firm, to rigorously evaluate our cyber processes. This includes a comprehensive assessment of our incident response procedures, ensuring they meet the highest standards of readiness and effectiveness. To ensure the integrity and security of our operations, we have implemented stringent processes to evaluate third -party service providers and vendors that have access to sensitive systems, as well as company and customer data. This evaluation may include due diligence procedures such as assessments of the service provider’s cybersecurity posture or recommendations for specific mitigation controls. Following an assessment, we determine and prioritize service provider risk based on potential threat impact and likelihood. These risk determinations are crucial in driving the level of due diligence and ongoing compliance monitoring required for each service provider. Board Oversight and Management ’ s Role. The Board of Directors, both directly and through the delegation of responsibilities to the Audit Committee oversees the proper functioning of our cybersecurity risk management program to ensures strategic alignment and governance of our cybersecurity efforts at the highest level. In particular, the Audit Committee assists the Board of Directors in its oversight of management’s responsibility to assess, manage and mitigate risks associated with our business and operational activities, to administer our various compliance programs, in each case including cybersecurity concerns, and to oversee our information technology systems, processes and data. Management has implemented robust risk management structures, policies, and procedures, with day-to-day cybersecurity risk management being a core responsibility. Our Chief Information Officer (“CIO”) spearheads the assessment and management of cybersecurity risks, ensuring that our strategies and actions are both proactive and responsive to the evolving cybersecurity landscape . Supporting this effort, we have a cross-departmental approach to cyber security management. This ensures that our executive leadership team receives comprehensive quarterly updates on cybersecurity from various teams within the organization. Such updates are instrumental in promoting stakeholder engagement across all levels and enhancing management’s oversight of cybersecurity. The content of these updates includes progress on ongoing cybersecurity initiatives, insights from recent threat assessments or incidents, findings and action plans derived from external vulnerability and penetration tests, and key performance metrics aligned with industry standards. Our CIO and our Chief Financial Officer report risks to the Audit Committee on a quarterly basis. Risks from Material Cybersecurity Threats. Despite ongoing cyber-attacks, such as unauthorized access, phishing, and ransomware, we have not identified any cybersecurity incidents that have materially affected or are reasonably anticipated to have a material effect on our business strategy, results of operations, or financial condition. Our proactive security measures, alongside those of our third -party vendors, aim to protect our information technology systems and the sensitive data they hold. To bolster our cybersecurity posture, Transcat has engaged a third -party Managed Security Services Provider (“MSSP”) to enhance our defensive capabilities. This partnership includes comprehensive vulnerability scanning both internally and externally to detect potential security weaknesses before they can be exploited. Our MSSP also provides round-the-clock monitoring through a 24x7x365 Security Operations Center (“SOC”), safeguarding our digital assets (“Endpoint Detection and Response - EDR”), identities (“Identity Detection and Response - IDR”), and integrating supplemental logging sources such as firewalls and Enterprise Resource Planning systems (“Extended Detection and Response - XDR”). Furthermore, we have established Incident Response as a Service (“IRaaS”) to ensure rapid and effective action in the event of a security breach.

Company Information