CSP INC /MA/ 10-K Cybersecurity GRC - 2025-12-16

Page last updated on February 4, 2026

CSP INC /MA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-16 17:17:11 EST.

Filings

10-K filed on 2025-12-16

CSP INC /MA/ filed a 10-K at 2025-12-16 17:17:11 EST
Accession Number: 0000356037-25-000065

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented a comprehensive cybersecurity risk management strategy to evaluate, detect, and mitigate significant risks posed by cybersecurity threats. The Information Security Risk component of our overall Risk Management Policy outlines our approach to manage processes, people and technology to address and meet the ever-changing challenges in the global IT security landscape. Our program aims to safeguard our systems, data, and operations against cyber threats, maintain business continuity, ensure compliance with relevant privacy and other regulations, and fulfill our commitments to members, customers, suppliers, employees, and other stakeholders. Our cybersecurity program is designed to align with and meet the rigorous standards set by industry frameworks such as NIST, SOC 2 Type 2, and other relevant guidelines. By adhering to these frameworks, we ensure that our security measures are robust, comprehensive, and effective in protecting our systems, data, and operations. This commitment not only helps us maintain compliance with regulatory requirements but also demonstrates our dedication to providing a secure environment for our members, customers, suppliers, employees, and other stakeholders. Risk Assessment; Third Party Assessments and Audits An information security Risk Assessment (RA) is conducted annually or following any significant changes to the operating or sensitive data environments to identify vulnerabilities and implement appropriate controls and risk mitigation strategies. These assessments can be conducted on any entity within CSPi or any external entity that has signed a Third-Party Agreement with CSPi , covering information systems, applications, servers, networks, and related processes. The IT Manager, along with the responsible department, oversees the execution, development, and implementation of remediation programs. The RA process involves assembling a team, defining the scope, identifying business and IT owners, conducting interviews, reviewing controls and incidents, developing a threat/risk matrix, and preparing an executive summary with recommendations. The executive team reviews and approves the recommendations, and a project is initiated to implement the necessary controls and procedures, which are tested quarterly. Incident Response Planning Our incident response policies and procedures are aligned with applicable laws and state policies. They encompass the identification of roles and responsibilities, investigation, containment and escalation procedures, documentation and preservation of evidence, communication protocols, and lessons learned. We have established robust incident reporting policies and procedures. These include training employees and contractors to recognize and report incidents promptly upon discovery, as well as preparing and submitting follow-up written reports. To date, no cybersecurity incident has resulted in any material impact on our business, operations or financial results or our ability to service our customers or run our business. Governance A formal process exists through our enterprise risk management matrix developed by the management team of the Company that tracks the Company's material risks, associated mitigation and remediation strategies and direct accountability which is submitted quarterly to the Audit Committee of the Board of Directors for review and oversight. The management team includes our Vice President and General Manager of the HPP segment , who has developed cybersecurity software at the Company. In addition, he has been the Chief Technical Officer and served in various roles at several cybersecurity companies over his 40 year career. He holds a Bachelor of Science in Business and Engineering as well as a Masters of Science in Finance. Also on the team is the Vice President of Managed Services at the TS segment, who has over twenty years of technology experience including the monitoring and management of other organization's security systems.

Company Information