Page last updated on November 21, 2025
MATTHEWS INTERNATIONAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-21 15:08:29 EST.
Filings
10-K filed on 2025-11-21
MATTHEWS INTERNATIONAL CORP filed a 10-K at 2025-11-21 15:08:29 EST
Accession Number: 0000063296-25-000070
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY. Cybersecurity Program Matthews depends on integrated information systems to conduct its business. The Company recognizes the importance of maintaining cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its systems and data. Accordingly, the Company has implemented a cybersecurity program designed to protect its information systems and to assess, identify and manage material risks from cybersecurity threats. Matthews' cybersecurity risk management program is aligned to its business strategy. This comprehensive program addresses acceptable use, risk management, data privacy, incident management and reporting, identity and access management, third-party management, physical security, and vulnerability identification. 19 ITEM 1C. CYBERSECURITY, (continued) Risk Management and Strategy Matthews uses a risk-based, cross-functional approach to manage risks from cybersecurity threats according to the nature and sensitivity of the data and the criticality of the systems to operations. In general, Matthews focuses on preserving the confidentiality, security, and availability of its information and information systems and mitigating and responding effectively to cybersecurity incidents and threats. Matthews' approach to information security follows a defense-in-depth methodology in which security is embedded throughout system architecture. The Company's cybersecurity framework leverages internationally recognized Center for Internet Security (CIS v.8) standard and other internationally recognized frameworks. Technical controls rely on proven technologies, such as network-based intrusion detection systems, next generation firewalls with advanced threat detection, secure server networks, demilitarized zones, and endpoint detection and response capabilities. Security techniques, such as encryption at rest and encryption in transit, are used to incorporate relevant practices. The Company also has policies and procedures in place designed to maintain compliance with relevant cybersecurity and data privacy laws and regulations in the jurisdictions in which the Company operates, such as the European Union GDPR and the California Consumer Privacy Act. Continuous monitoring of the Company's networks and systems for threats and vulnerabilities is a key component of its strategy, supported by the analysis of threat intelligence from external sources. This multi-layered approach enables early detection and facilitates prompt response to potential cybersecurity threats. Matthews regularly reviews and updates its cybersecurity strategies, policies and procedures, taking into consideration the latest advancements in cybersecurity practices and changes to the threat landscape. The Company also maintains a vulnerability management program where cybersecurity risks are identified, classified, and addressed and periodically conducts penetration testing through an independent third-party assessor . Matthews continues to invest in internal and external tools to better detect, patch, monitor, and restore systems. However, patch and vulnerability management, including for products and information assets, remains a complex and key risk that may lead to future exploits, security breaches and service disruption. Matthews also integrates security measures into its digital products and services, although product security risks and legal compliance requirements will both continue to evolve and grow more complex. The Company's product security efforts are informed in part by key tenets of various industry security standards. As part of its efforts, Matthews conducts risk assessments and prioritizes security validation for certain of its products. The Company conducts cybersecurity tabletop exercises to enhance mitigating controls and incident response preparedness. When management deems it advisable, the Company engages third parties, including consultants, advisors, auditors and legal counsel, to assist with security and maturity assessments, security operations, employee training and awareness, compliance, penetration testing, network and endpoint monitoring, threat intelligence, and vulnerability management. The Company's cybersecurity risk management processes extend to the oversight and identification of cybersecurity threats presented by third-parties, including vendors, service providers and other external users of its systems, as well as the systems of third parties that could adversely impact the Company's business in the event of a cybersecurity incident affecting those third-party systems. Matthews uses a number of means to assess cyber risks related to its third-parties, including processes governing interconnections with third-party systems and regular review of critical vendors' cybersecurity positions for potential risks. Third-party service provider assessments begin during onboarding and continue throughout the relationship, based upon an assessment of third-party risk. Those assessments include review of System and Organization Controls ("SOC") 1 and SOC 2 reports (as each such report is defined by the American Institute of Certified Public Accountants), and direct interaction with key vendors to assess and address risks. Contracts with third-party service providers contain appropriate protective provisions for the Company including audit rights, third-party notification obligations, and security requirements for the retention of data. The Company regularly deploys mandatory cybersecurity training courses to all employees, and all new hires are required to take cybersecurity training when they receive their Company computer. Failure to complete the training in a timely fashion results in the employee's system access being suspended until completion. Management also regularly conducts "phishing" exercises to test the effectiveness of its training programs. The results of these exercises are reported to the Audit Committee. Employees also receive frequent newsletters highlighting cybersecurity developments as well as targeted email messages, as appropriate. Matthews maintains a cybersecurity Incident Response Plan and establishes cybersecurity contingency plans that outline roles, responsibilities, and procedures for handling cybersecurity incidents. In the event of a cybersecurity incident, designated personnel including members of Information Technology ("IT"), finance, legal, communications, human resources and any 20 ITEM 1C. CYBERSECURITY, (continued) affected unit or department are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. Matthews has also established a cross-functional Artificial Intelligence ("AI") Council to ensure that artificial intelligence is used legally, ethically, effectively, and commercially successfully across its business. The Matthews AI Council includes key members of its IT and legal functions, including its Chief Information Security Officer ("CISO"). The Matthews AI Council serves as an extension of its cybersecurity program with a specific focus on artificial intelligence systems. The Company maintains cybersecurity insurance coverage intended to protect against loss of business and other related consequences resulting from cyber incidents. Matthews reviews its insurance coverage annually for adequacy against operations and information systems. However, there can be no assurance that the Company's cyber liability insurance coverage will be available to it or provide adequate coverage in the event of a cybersecurity incident. Notwithstanding the vigorous approach Matthews takes to cybersecurity, the Company may not always be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on it. Matthews has experienced cyber-attacks in the past and, while none of these cyber-attacks resulted in a material disruption to the Company's business, Matthews may experience additional cyber-attacks in the future. As of the filing of this Form 10-K, the Company is not aware of any such attacks that have occurred since the beginning of fiscal 2025 that have materially affected, or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. While the Company has implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, refer to Item 1A - "Risk Factors - The Company relies on information technology to operate the Company's business. Security breach incidents and breakdowns of information technologies, or failure to comply with laws governing data privacy and data protection, could disrupt the Company's operations, subject the Company to legal claims, and impact the Company's financial results." Governance Board of Directors Oversight At Matthews, the Audit Committee of the Board of Directors is responsible for overseeing the Company's cybersecurity risk management efforts. The Company's Audit Committee regularly reviews and evaluates cybersecurity risks, the design and effectiveness of the Company's cybersecurity program, as well as its contingency plans, and the procedures and policies implemented by management to identify, manage, and mitigate such risks. The Chief Information Officer ("CIO") and CISO provide regular reports to the Audit Committee, which include information about cyber-risk management, the effectiveness of the Company's cybersecurity framework, direct or emerging threats to the Company, program maturity and strategy, third-party risk management, and benchmarking against its industry peers. Management's Role Managing Risk Matthews' CIO and CISO are primarily responsible for assessing and managing cybersecurity risks. The CIO reports directly to the Company's Chief Financial Officer, and the CISO reports to the CIO. The CIO, CISO, and the Company's cybersecurity team have decades of experience in various roles managing information security, developing cybersecurity strategy and implementing, planning and operationalizing a comprehensive global IT infrastructure. In addition, the Company's legal team dedicates full-time internal resources to support the CISO in assessing and addressing compliance issues related to the various data protection and data privacy considerations arising from regulations, statutes and laws in the jurisdictions the Company operates. The CISO is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents. With the support of legal, the CISO is responsible for global regulatory compliance related to cybersecurity regulations and industry standards. The CISO also advises on the implementation of cybersecurity risk management in the Company's products and services as they are being developed. As part of its risk management process, the Matthews management team also identifies, assesses and evaluates risks impacting the Company's operations, including those risks related to cybersecurity, and raises them for internal discussion, and where it is determined to be appropriate, issues are also raised to the Board of Directors for consideration. 21
ITEM 1C. CYBERSECURITY, (continued) Risk Management and Strategy Matthews uses a risk-based, cross-functional approach to manage risks from cybersecurity threats according to the nature and sensitivity of the data and the criticality of the systems to operations. In general, Matthews focuses on preserving the confidentiality, security, and availability of its information and information systems and mitigating and responding effectively to cybersecurity incidents and threats. Matthews' approach to information security follows a defense-in-depth methodology in which security is embedded throughout system architecture. The Company's cybersecurity framework leverages internationally recognized Center for Internet Security (CIS v.8) standard and other internationally recognized frameworks. Technical controls rely on proven technologies, such as network-based intrusion detection systems, next generation firewalls with advanced threat detection, secure server networks, demilitarized zones, and endpoint detection and response capabilities. Security techniques, such as encryption at rest and encryption in transit, are used to incorporate relevant practices. The Company also has policies and procedures in place designed to maintain compliance with relevant cybersecurity and data privacy laws and regulations in the jurisdictions in which the Company operates, such as the European Union GDPR and the California Consumer Privacy Act. Continuous monitoring of the Company's networks and systems for threats and vulnerabilities is a key component of its strategy, supported by the analysis of threat intelligence from external sources. This multi-layered approach enables early detection and facilitates prompt response to potential cybersecurity threats. Matthews regularly reviews and updates its cybersecurity strategies, policies and procedures, taking into consideration the latest advancements in cybersecurity practices and changes to the threat landscape. The Company also maintains a vulnerability management program where cybersecurity risks are identified, classified, and addressed and periodically conducts penetration testing through an independent third-party assessor . Matthews continues to invest in internal and external tools to better detect, patch, monitor, and restore systems. However, patch and vulnerability management, including for products and information assets, remains a complex and key risk that may lead to future exploits, security breaches and service disruption. Matthews also integrates security measures into its digital products and services, although product security risks and legal compliance requirements will both continue to evolve and grow more complex. The Company's product security efforts are informed in part by key tenets of various industry security standards. As part of its efforts, Matthews conducts risk assessments and prioritizes security validation for certain of its products. The Company conducts cybersecurity tabletop exercises to enhance mitigating controls and incident response preparedness. When management deems it advisable, the Company engages third parties, including consultants, advisors, auditors and legal counsel, to assist with security and maturity assessments, security operations, employee training and awareness, compliance, penetration testing, network and endpoint monitoring, threat intelligence, and vulnerability management. The Company's cybersecurity risk management processes extend to the oversight and identification of cybersecurity threats presented by third-parties, including vendors, service providers and other external users of its systems, as well as the systems of third parties that could adversely impact the Company's business in the event of a cybersecurity incident affecting those third-party systems. Matthews uses a number of means to assess cyber risks related to its third-parties, including processes governing interconnections with third-party systems and regular review of critical vendors' cybersecurity positions for potential risks. Third-party service provider assessments begin during onboarding and continue throughout the relationship, based upon an assessment of third-party risk. Those assessments include review of System and Organization Controls ("SOC") 1 and SOC 2 reports (as each such report is defined by the American Institute of Certified Public Accountants), and direct interaction with key vendors to assess and address risks. Contracts with third-party service providers contain appropriate protective provisions for the Company including audit rights, third-party notification obligations, and security requirements for the retention of data. The Company regularly deploys mandatory cybersecurity training courses to all employees, and all new hires are required to take cybersecurity training when they receive their Company computer. Failure to complete the training in a timely fashion results in the employee's system access being suspended until completion. Management also regularly conducts "phishing" exercises to test the effectiveness of its training programs. The results of these exercises are reported to the Audit Committee. Employees also receive frequent newsletters highlighting cybersecurity developments as well as targeted email messages, as appropriate. Matthews maintains a cybersecurity Incident Response Plan and establishes cybersecurity contingency plans that outline roles, responsibilities, and procedures for handling cybersecurity incidents. In the event of a cybersecurity incident, designated personnel including members of Information Technology ("IT"), finance, legal, communications, human resources and any 20 ITEM 1C. CYBERSECURITY, (continued) affected unit or department are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. Matthews has also established a cross-functional Artificial Intelligence ("AI") Council to ensure that artificial intelligence is used legally, ethically, effectively, and commercially successfully across its business. The Matthews AI Council includes key members of its IT and legal functions, including its Chief Information Security Officer ("CISO"). The Matthews AI Council serves as an extension of its cybersecurity program with a specific focus on artificial intelligence systems. The Company maintains cybersecurity insurance coverage intended to protect against loss of business and other related consequences resulting from cyber incidents. Matthews reviews its insurance coverage annually for adequacy against operations and information systems. However, there can be no assurance that the Company's cyber liability insurance coverage will be available to it or provide adequate coverage in the event of a cybersecurity incident. Notwithstanding the vigorous approach Matthews takes to cybersecurity, the Company may not always be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on it. Matthews has experienced cyber-attacks in the past and, while none of these cyber-attacks resulted in a material disruption to the Company's business, Matthews may experience additional cyber-attacks in the future. As of the filing of this Form 10-K, the Company is not aware of any such attacks that have occurred since the beginning of fiscal 2025 that have materially affected, or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. While the Company has implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, refer to Item 1A - "Risk Factors - The Company relies on information technology to operate the Company's business. Security breach incidents and breakdowns of information technologies, or failure to comply with laws governing data privacy and data protection, could disrupt the Company's operations, subject the Company to legal claims, and impact the Company's financial results." Governance Board of Directors Oversight At Matthews, the Audit Committee of the Board of Directors is responsible for overseeing the Company's cybersecurity risk management efforts. The Company's Audit Committee regularly reviews and evaluates cybersecurity risks, the design and effectiveness of the Company's cybersecurity program, as well as its contingency plans, and the procedures and policies implemented by management to identify, manage, and mitigate such risks. The Chief Information Officer ("CIO") and CISO provide regular reports to the Audit Committee, which include information about cyber-risk management, the effectiveness of the Company's cybersecurity framework, direct or emerging threats to the Company, program maturity and strategy, third-party risk management, and benchmarking against its industry peers. Management's Role Managing Risk Matthews' CIO and CISO are primarily responsible for assessing and managing cybersecurity risks. The CIO reports directly to the Company's Chief Financial Officer, and the CISO reports to the CIO. The CIO, CISO, and the Company's cybersecurity team have decades of experience in various roles managing information security, developing cybersecurity strategy and implementing, planning and operationalizing a comprehensive global IT infrastructure. In addition, the Company's legal team dedicates full-time internal resources to support the CISO in assessing and addressing compliance issues related to the various data protection and data privacy considerations arising from regulations, statutes and laws in the jurisdictions the Company operates. The CISO is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents. With the support of legal, the CISO is responsible for global regulatory compliance related to cybersecurity regulations and industry standards. The CISO also advises on the implementation of cybersecurity risk management in the Company's products and services as they are being developed. As part of its risk management process, the Matthews management team also identifies, assesses and evaluates risks impacting the Company's operations, including those risks related to cybersecurity, and raises them for internal discussion, and where it is determined to be appropriate, issues are also raised to the Board of Directors for consideration. 21
ITEM 1C. CYBERSECURITY, (continued) affected unit or department are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. Matthews has also established a cross-functional Artificial Intelligence ("AI") Council to ensure that artificial intelligence is used legally, ethically, effectively, and commercially successfully across its business. The Matthews AI Council includes key members of its IT and legal functions, including its Chief Information Security Officer ("CISO"). The Matthews AI Council serves as an extension of its cybersecurity program with a specific focus on artificial intelligence systems. The Company maintains cybersecurity insurance coverage intended to protect against loss of business and other related consequences resulting from cyber incidents. Matthews reviews its insurance coverage annually for adequacy against operations and information systems. However, there can be no assurance that the Company's cyber liability insurance coverage will be available to it or provide adequate coverage in the event of a cybersecurity incident. Notwithstanding the vigorous approach Matthews takes to cybersecurity, the Company may not always be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on it. Matthews has experienced cyber-attacks in the past and, while none of these cyber-attacks resulted in a material disruption to the Company's business, Matthews may experience additional cyber-attacks in the future. As of the filing of this Form 10-K, the Company is not aware of any such attacks that have occurred since the beginning of fiscal 2025 that have materially affected, or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. While the Company has implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, refer to Item 1A - "Risk Factors - The Company relies on information technology to operate the Company's business. Security breach incidents and breakdowns of information technologies, or failure to comply with laws governing data privacy and data protection, could disrupt the Company's operations, subject the Company to legal claims, and impact the Company's financial results." Governance Board of Directors Oversight At Matthews, the Audit Committee of the Board of Directors is responsible for overseeing the Company's cybersecurity risk management efforts. The Company's Audit Committee regularly reviews and evaluates cybersecurity risks, the design and effectiveness of the Company's cybersecurity program, as well as its contingency plans, and the procedures and policies implemented by management to identify, manage, and mitigate such risks. The Chief Information Officer ("CIO") and CISO provide regular reports to the Audit Committee, which include information about cyber-risk management, the effectiveness of the Company's cybersecurity framework, direct or emerging threats to the Company, program maturity and strategy, third-party risk management, and benchmarking against its industry peers. Management's Role Managing Risk Matthews' CIO and CISO are primarily responsible for assessing and managing cybersecurity risks. The CIO reports directly to the Company's Chief Financial Officer, and the CISO reports to the CIO. The CIO, CISO, and the Company's cybersecurity team have decades of experience in various roles managing information security, developing cybersecurity strategy and implementing, planning and operationalizing a comprehensive global IT infrastructure. In addition, the Company's legal team dedicates full-time internal resources to support the CISO in assessing and addressing compliance issues related to the various data protection and data privacy considerations arising from regulations, statutes and laws in the jurisdictions the Company operates. The CISO is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents. With the support of legal, the CISO is responsible for global regulatory compliance related to cybersecurity regulations and industry standards. The CISO also advises on the implementation of cybersecurity risk management in the Company's products and services as they are being developed. As part of its risk management process, the Matthews management team also identifies, assesses and evaluates risks impacting the Company's operations, including those risks related to cybersecurity, and raises them for internal discussion, and where it is determined to be appropriate, issues are also raised to the Board of Directors for consideration. 21
Company Information
| Name | MATTHEWS INTERNATIONAL CORP |
| CIK | 0000063296 |
| SIC Description | Nonferrous Foundries (Castings) |
| Ticker | MATW - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | September 29 |