GENTEX CORP 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

GENTEX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 15:18:31 EST.

Filings

10-K filed on 2026-02-24

GENTEX CORP filed a 10-K at 2026-02-24 15:18:31 EST
Accession Number: 0000355811-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company has implemented and maintains multiple layers of physical, administrative and technical security processes designed to protect our manufacturing facilities from disruptions that may result from cybersecurity incidents, as well as to safeguard the confidentiality of our critical systems, and data residing on those systems, including employee data, customer data, and IP. Our risk assessment and management of material risks from cybersecurity threats is integrated into our overall enterprise risk management process, as well as our information systems processes. Our strategy includes regular formal risk assessments, dynamic risk and threat analysis, utilization of security tools, regular cybersecurity-related tabletop and phishing exercises designed to simulate cybersecurity incidents, and frequent security awareness and technical security trainings. We conduct periodic internal and third-party assessments to evaluate our cybersecurity posture and test and assess our incident response program, incident roles and responsibilities, material impact evaluation, and decision-making processes in the event of a cybersecurity incident. We use our risk and security assessments to enhance our information security capabilities. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data, including an incident response policy, plan, procedures and scenario-based playbooks, an incident detection and response program, a vulnerability management program, disaster recovery and business continuity plans, risk assessment processes, security standards, network security controls, access controls, systems monitoring, employee awareness training, and cybersecurity insurance. The Company has obtained Trusted Information Security Assessment Exchange (TISAX) certification labels within the United States, Germany, and China. The Company is also continuing to work on its ISO 27001 certification. Our internal information security team oversees and works collaboratively with various information security service providers. Our cybersecurity program incorporates external guidance and expertise through the use of third-party service providers to assist in the identification, assessment and management of risks specific to cybersecurity threats, including vendors providing threat intelligence, risk mitigation, dark web monitoring, external scanning and scoring, threat and reputation monitoring, forensics, cyber-insurance, advisory services, and legal counsel. Our security processes include assessing risks arising from engagement of third-party security service providers. Our approach to selecting and overseeing such security service providers includes structured due diligence and an ongoing monitoring process. Prior to engagement, we conduct risk-based vetting of technical competencies, attestations or certifications, policies and controls related to access management, data handling, encryption, incident response, and conflicts of interest and independence. Contractual arrangements with security service providers are tailored to risk and generally include confidentiality and data protection obligations, restrictions on use and disclosure of our information, and requirements for secure transmission, processing, and termination rights for control failures or noncompliance. We put in place least-privilege access, multifactor authentication, and other technical safeguards as appropriate. We have an incident response plan that includes scenario-based playbooks for managing cybersecurity incidents and associated crisis communication procedures designed to facilitate coordination across the Company and with our partners, customers, the public and others. For the year ended December 31, 2025, there have been no risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial condition. For a description of risks related to our information technology systems, including cybersecurity threats, see Item 1A, "Risk Factors." Governance Our Board addresses cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board (the "Audit Committee") is responsible for overseeing our cybersecurity risk management processes, including our assessment and mitigation of material risks from cybersecurity threats. The Audit Committee receives regular reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from our information technology and cybersecurity experts. In addition, on at least an annual basis, the Board receives reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes. Our cybersecurity risk assessment and management processes are implemented and maintained by our Vice President of Information Technology and Information Security Officer ("VP of IT") , who is supported by other 19 members of management, as necessary. Our VP of IT is responsible for approving budgets, cybersecurity incident preparedness, approving cybersecurity processes, reviewing security assessments and other security-related reports, engaging security service providers, and providing the Chief Financial Officer ("CFO") with regular updates on cybersecurity-related matters. The Company also has an IT Executive Steering Committee comprised of the VP of IT, CFO, General Counsel, Chief Operating Officer and Chief Technology Officer, and Vice President of Operations. The VP of IT provides regular cybersecurity updates to the Audit Committee. The Company's VP of IT has served in this role for four years and has more than 25 years of relevant experience. In addition, we have an information security team comprised of dozens of employees dedicated to cybersecurity with extensive experience and relevant certifications. The VP of IT is responsible for hiring appropriate personnel, assisting with the integration of cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, and mitigating and remediating in the event of a cybersecurity incident. Our cybersecurity incident response and vulnerability management programs are designed to escalate certain cybersecurity incidents to various levels of management depending on the circumstances, including our VP of IT, General Counsel, CFO and/or Chief Executive Officer. Management works with our incident response team to help mitigate and remediate certain escalated cybersecurity incidents. In addition, our incident response and vulnerability management programs include reporting certain cybersecurity incidents to the Audit Committee and, in appropriate circumstances, to the Board .

Company Information