SIFCO INDUSTRIES INC 10-K Cybersecurity GRC - 2025-12-22

Page last updated on December 22, 2025

SIFCO INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-22 09:05:16 EST.

Filings

10-K filed on 2025-12-22

SIFCO INDUSTRIES INC filed a 10-K at 2025-12-22 09:05:16 EST
Accession Number: 0001628280-25-058405

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have processes in place aimed at assessing, identifying, and managing material risks from cybersecurity threats. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our cybersecurity risk management program include: - periodic risk assessments designed to help identify material cybersecurity risks to our critical systems and information; - a formal register documenting and mitigating identified risks, reviewed by management on a quarterly basis; - a data protection team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents; - the regular use of external service providers to independently assess and test security posture, as well as to otherwise assist with aspects of our security processes; - cybersecurity awareness training of our employees, including incident response personnel and senior management; - a written cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, including data storage and restoration and disaster recovery plans; and - a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile. Most recently, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See "Risk Factors-Risks Related to Our Business and Operations." Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and maintains oversight of risk assessment and risk management, including cybersecurity and other information technology risks. In addition, our Board of Directors oversees management's implementation of our cybersecurity risk management program. The Board of Directors receives periodic reports from management on our cybersecurity risks. In addition, management updates the Board of Directors, where it deems appropriate, regarding cybersecurity incidents it considers to be significant or potentially significant. These presentations may cover a range of topics, including: - the current cybersecurity landscape and best practices for mitigating emerging threats; - progress on cybersecurity projects; - incident reports; - updates from past event(s); and - adherence to regulatory requirements and/or industry standards, as appropriate. Our management team, including our Data Protection Officer and external counsel, are responsible along with the Company's Board of Directors for assessing and managing our material risks from cybersecurity threats. Our Data Protection Officer has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Data Protection Officer has extensive experience in overseeing information technology and cybersecurity programs. Collectively, has approximately twenty years of experience in information technology, including more than eight years with direct responsibility for cybersecurity oversight and implementation. This experience included developing and implementing a cybersecurity incident response playbook and leading initiatives to achieve compliance with the NIST CSF 2.0 cybersecurity regulatory framework. Other experience included expanding and maintaining cybersecurity program in response to evolving state regulatory requirements, implementing automated playbooks to prevent and mitigate cyber threats, and overseeing compliance efforts related to NYDFS and CCPA. This backgrounds equips management with practical cybersecurity knowledge, and includes direct experience in cybersecurity program development, incident response readiness, automation of threat prevention, and compliance with applicable cybersecurity and data privacy regulations. Our management team takes steps to remain informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information