NATURAL ALTERNATIVES INTERNATIONAL INC 10-K Cybersecurity GRC - 2025-09-23

Page last updated on September 23, 2025

NATURAL ALTERNATIVES INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-09-23 16:16:24 EDT.

Filings

10-K filed on 2025-09-23

NATURAL ALTERNATIVES INTERNATIONAL INC filed a 10-K at 2025-09-23 16:16:24 EDT
Accession Number: 0001437749-25-029731

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our overall enterprise risk management function, we have implemented and currently maintain various information security processes designed to identify, assess and manage material risks related to information technology, including cybersecurity threats to our critical computer networks, third-party hosted services, and our critical data, (“Information Systems”). Our Information Systems risk management process evaluates and mitigates cybersecurity risks in alignment with our business objectives and operational needs. We periodically engage third -party consultants and service providers to obtain an independent assessment regarding internal efforts to prevent threats to our Information Systems. Continuous vigilance over safeguarding the Company’s Information Systems has resulted in our current approach and these assessments are shared with our Audit Committee. Technology To mitigate the occurrence of an incident as defined by the Company’s formal documentation, which classifies and defines the properties of potential threats, the Company has in place a host of defenses which include, but are not limited to, the use of gateway consoles in all our global locations, limited access to key Information Systems from in-office networks or VPN with multi-factor authentication by means of a third -party mobile identity management tool to limit access to authorized users. Process Internally to manage potential cybersecurity threats, we have established an Incident Response Plan that is designed to control the workflow of a reported incident. This plan formalizes incidence response stages such that reporting, identification, scope, response, and recovery are executed in a timely manner and identifies the order and coordination of internal and external communication. In addition, the Company addresses crisis management and business continuity with respect to Information Systems to ensure reliable redundancy and recovery of backed-up databases. Management is not aware of any material security breaches on its Information Systems and risks from cybersecurity threats have not previously materially affected us. Certain of our vendors have experienced cyberattacks in the past and the threat and development of cyberattacks is continuous. It is impossible to say with certainty whether the Company’s efforts will prevail in a coordinated attack on its Information Systems. Currently we expect the risks from cybersecurity threats will continue, but are not reasonably likely to materially affect us mostly due to our profile and not because our defenses are impenetrable or the efforts of criminals will not become more sophisticated. A cybersecurity attack on our systems could have a material negative impact upon our business, results of operations or financial condition. For additional information about cybersecurity risks, see Item 1A. “Risk Factors.” Governance Role of the Board The Audit Committee of our Board of Directors (the “Board”) has the responsibility for the oversight of risk management, including those risks related to cybersecurity. The Board holds strategic planning sessions with senior management to discuss strategies, key challenges, risks and opportunities for mitigation. The involvement of our Board in setting our business strategy is a key part of its oversight of risk management, its assessment of management’s appetite for risk, and its determination of what constitutes an appropriate level of risk for us. Our senior management attends meetings of our Board and its committees on a quarterly basis, and management communicates with the Board and its members regularly between Board meetings as otherwise needed and are available to address any questions or concerns raised by our Board on risk management and any other matters. Role of Management Our senior management, with the oversight of the Board, is responsible for the day-to-day management of the material risks the Company faces, including those related to cybersecurity. We believe it is important to work at all levels of the Company’s hierarchy to manage cybersecurity risks and threats. Therefore, all users must use an online IT ticketing system, which is monitored around the clock, to report any incidents. Qualified individuals in IT determine what resources to allocate to each case and escalation of an incident, if deemed necessary. The Systems Administrators and IT Director, who has more than 18 years of experience with the Company, communicates on a day-to-day basis with the Chief Financial Officer, and President/Chief Operating Officer who would bring any material cybersecurity issues to the attention of the Company’s Chief Executive Officer, the Audit Committee, and the Board.

Company Information