COMTECH TELECOMMUNICATIONS CORP /DE/ 10-K Cybersecurity GRC - 2025-11-10

Page last updated on November 10, 2025

COMTECH TELECOMMUNICATIONS CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-10 16:28:36 EST.

Filings

10-K filed on 2025-11-10

COMTECH TELECOMMUNICATIONS CORP /DE/ filed a 10-K at 2025-11-10 16:28:36 EST
Accession Number: 0000023197-25-000080

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management Strategy and Program We identify and assess material risks from cybersecurity threats predominantly through the work of our Information Security ("InfoSec") team as part of our enterprise risk management ("ERM") process. Our ERM process is designed to identify and evaluate the full range of significant risks to Comtech. As part of our ERM program, our functional and operations departments identify and manage enterprise risks on an annual cycle. The process consists of structured reviews, discussions, and mitigation planning, and includes risks identified by our cybersecurity functions. The cybersecurity ERM process is administered by InfoSec with input from each business segment and function. InfoSec continually monitors material cybersecurity risks facing Comtech, including cybersecurity threats and threats to our internal systems, our products, services and programs for customers, and our supply chain. Our cybersecurity risk management team has extensive experience leading information technology for global organizations across communications, aerospace and defense, and works directly with our CEO, Chief Financial Officer, Executive Vice President ("EVP") of Systems and IT Controls, and other members of senior management team to assess cybersecurity threats as part of our ERM process. 52 To manage and remediate cybersecurity risks identified as part of our ERM process and to manage emerging cybersecurity threats in real time; we have implemented a Managed Detection and Response system that supports the Security Operations Center. We are a member of the DoD Defense Industrial Base Collaborative Information Sharing Environment and the National Defense Information Sharing and Analysis Center. These organizations share real-time cybersecurity threat information and best practices in protecting, detecting and recovering from cybersecurity threats. As a government contractor, we must comply with extensive cybersecurity regulations, including the DFARS related to adequately safeguarding controlled unclassified information and reporting cybersecurity incidents to the DoD. The policies and controls we have implemented to date reflect our adherence to these requirements and have been assessed by external organizations, including industry partners. During fiscal year 2025 and through the date of this filing, based on the information available, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents (as such terms are defined in Item 106(a) of Regulation S-K), that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Please see Cybersecurity Risks under Item 1A - Risk Factors under Part I of this Form 10-K for more information about risks to us from cybersecurity threats. Enterprise Cybersecurity Our enterprise cybersecurity program aligns with the National Institute of Standards and Technology ("NIST") standards, among others, and includes processes and controls for the deployment of new IT systems by us and controls over new and existing systems operation. We monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees and contract workers to complete annual cybersecurity training, and we regularly conduct simulated phishing and cyber-related communications. Cybersecurity for U.S. Government Authorized Systems Our information technology systems used in connection with programs for the U.S. government align with the NIST standard and meet the requirements of 32 CFR Part 117 (National Industrial Security Program Operating Manual or "NISPOM") and other applicable U.S. government guidance. The program includes authorizations and assessments of new and existing IT systems by our customers. We monitor use on these systems, including vulnerability management through patching and configuration. In addition, we restrict user access and require authorized users to complete additional user and cybersecurity training. Third Party Service Providers We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program's risk prevention and protection measures and process execution, including incident detection, investigation, analysis and response, eradication and recovery. Management of Third-Party Risks Our suppliers, subcontractors and third-party service providers are subject to cybersecurity obligations and controls as aligned with DFARS and U.S. Federal Acquisition Regulations ("FARS") requirements. We are making strides to ensure suppliers, subcontractors and third-party service providers are knowledgeable and aligned with DFARS and FARS requirements. We are also developing an enhanced program for our suppliers, subcontractors, and third-party service providers to agree to cybersecurity-related contractual terms and conditions of purchase to ensure their commitment to the mandates. Many of these contractors, suppliers or third parties are also subject to regulatory requirements in mandatory government procurement clauses, including those contained in the DFARS and FARS, which obligate adherence to a generally accepted cybersecurity framework, such as NIST, and occasional assessment of their implementation of cybersecurity controls as a condition of contract award or during contract performance. Finally, we require these third parties to notify us of cybersecurity incidents that impact us. Program Assessment We continuously evaluate and seek to improve and mature our cybersecurity processes and controls. Our cybersecurity program is regularly assessed through management self-evaluations and ongoing monitoring procedures to evaluate our program effectiveness, including vulnerability management through active discovery and testing to validate patching and configuration. Additionally, InfoSec regularly assesses our program effectiveness through audits of our entities, systems, and processes to help maintain compliance with policies. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements and an overall assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall effectiveness of our program and target improvement areas. Several external organizations also evaluate our enterprise cybersecurity program, including the U.S. Defense Contract Management Agency ("DCMA") and Cybersecurity Maturity Model Certificate or "CMMC" Third Party Assessment Organization. Moreover, some of our products are audited or reviewed for regulatory compliance certification pursuant to the relevant DoD risk management framework. Board Oversight and Management's Role Our Board of Directors has primary oversight responsibilities for enterprise cybersecurity risks. The Technology, Innovation, and Cyber Committee of the Board of Directors also reviews enterprise cybersecurity risks in connection with its oversight of cybersecurity and compliance risks. Our cybersecurity risk management team leads our enterprise cybersecurity program and is responsible for assessing and managing enterprise cybersecurity risks. Our cybersecurity risk management team regularly updates the Technology, Innovation and Cyber Committee and Board of Directors on cybersecurity risks as they relate to our information and operational technology systems and our suppliers and partners, as well as provides regular updates on enterprise cybersecurity incidents and key defenses and mitigation strategies. Our cybersecurity risk management team regularly reviews and manages enterprise cybersecurity risks, controls, program policy and processes, including training, oversees policy and program development, implementation, and updates, and informs senior leadership on cybersecurity-related issues and activities affecting the organization. Additionally, our cybersecurity risk management team regularly monitors and leads efforts to address and remediate, as appropriate, enterprise cybersecurity events, threats, and activities, including with respect to incidents, protection vulnerabilities, software update needs and lifecycle status.

Company Information