DUCOMMUN INC /DE/ 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

DUCOMMUN INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 06:14:58 EST.

Filings

10-K filed on 2026-02-26

DUCOMMUN INC /DE/ filed a 10-K at 2026-02-26 06:14:58 EST
Accession Number: 0001628280-26-011952

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have an enterprise-wide approach to addressing cybersecurity risk, including input and participation from management and support from our Information Technology ("IT") Steering Committee that is comprised of our Senior Vice President Electronic and Structural Systems, Chief Financial Officer, General Counsel, Chief Human Resources Officer, Vice President Supply Chain Management, Vice President Engineered Products Group, and Chief Information Security Officer (Head of IT and Cybersecurity or "CISO") . Our cybersecurity risk management program leverages the National Institute of Standards and Technology ("NIST") Framework which is augmented with Cybersecurity Maturity Model Certification ("CMMC") components to meet our particular needs. We regularly assess the threat landscape and take a holistic view of the cybersecurity risks, with a layered cybersecurity strategy based on protection, detection, and mitigation. Our IT security team, which is comprised of internal resources, reviews enterprise risk management-level cybersecurity risks at least annually. Our CISO is responsible for developing, implementing, and maintaining our information security strategy and program, as well as reporting various cybersecurity risk matters to our IT Steering Committee, and the Board's Innovation Committee. The Innovation Committee is a subset of the full Board of Directors which receive regular updates on our cybersecurity program. Our CISO has over 19 years of experience leading cybersecurity oversight for several companies and is updated on cyber events related to the monitoring, prevention, detection, mitigation, and remediation efforts from our IT security team. The IT security team have broad cybersecurity expertise or industry certifications and are knowledgeable in the use of cybersecurity tools and software. In addition, third-party cybersecurity services are used to augment our in-house capabilities, as needed. We continue to expand investments in IT security, including additional end-user security awareness training, using layered defenses, identifying and protecting critical systems, strengthening monitoring and alerting, and engaging experts as needed. We also use an industry standard risk quantification model to identify, measure, and prioritize cybersecurity risks. This, in turn, helps us develop and implement effective security controls and technology defenses. In addition, all members of management and employees with assigned e-mail boxes complete various cybersecurity awareness training on a regular basis. Further, we perform periodic simulations and tabletop exercises with the IT security team as well as with our executive team. Our assessment of risks associated with the use of third-party providers is on a limited basis and is part of our current overall cybersecurity risk management approach. As cybersecurity threats and attacks are becoming more sophisticated, we will modify and enhance our cybersecurity program as needed. As a defense contractor, we must also comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement ("DFARS") related to adequately safeguarding controlled unclassified information ("CUI"). The Department of War ("DoW") requires defense contractors to comply with its CMMC program for contracts that mandate the requirement. We are incorporating the requirements of the CMMC program into our overall cybersecurity program and anticipate we will be in position to meet such requirements by the time it becomes fully rolled out to all contracts in 2028. To date, we do not believe risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See "Cybersecurity attacks, internal system or service failures may adversely impact our business and operations" in Risk Factors included in Part I, Item 1A of this Form 10-K. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, implementing additional threat protection measures, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with third-parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventive measures. For more information regarding the risks we face from cybersecurity threats, please see "Cybersecurity attacks, internal system or service failures may adversely impact our business and operations" in Risk Factors included in Part I, Item 1A of this Form 10-K.

Company Information