UFP TECHNOLOGIES INC 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

UFP TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:13:09 EST.

Filings

10-K filed on 2026-02-27

UFP TECHNOLOGIES INC filed a 10-K at 2026-02-27 16:13:09 EST
Accession Number: 0001628280-26-012816

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy The Company employs a multi-faceted approach to assess, identify, and manage material risks from cybersecurity threats. Components of our approach include the following: - The Company aligns its cybersecurity program with the Center for Internet Security ("CIS") framework of Critical Security Controls - System penetration testing is performed by rotating third-party service providers at least every 18 months. - System vulnerability testing performed by our cybersecurity partner who is System of Organization Controls ("SOC") 2 certified and also assists with mitigation. - Network assessments are performed regularly by both an internal continuous process and by qualified 3rd party cybersecurity service providers at least bi-annually. - Facilitated incident response tabletop exercises conducted at least bi-annually by qualified cybersecurity service providers. - Monitoring of Federal government alerts (CISA, FBI) and industry threat information is performed to stay current on the newest cybersecurity threats bad actor tactics. - Multifactor authentication is required for all authorized users to access network resources which adds a second layer of protection from unauthorized entry to our systems. - Associates are required to complete mandatory cybersecurity awareness training annually. - We have Certified Information System Security Professional ("CISSP") and Information Systems Security Management Professional ("ISSMP") certifications among our internal security personnel. - Automated phishing testing is used to assess the effectiveness of our cybersecurity awareness training. The cybersecurity risk assessment process is part of the Company's overall risk management process. The Company's cybersecurity partner helps us prioritize actions to improve compliance with CIS Critical Security Controls and assists with those actions. The Company also utilizes other third-party consultants and services in our process of assessing and managing cybersecurity risk for a diverse perspective of our cybersecurity practices and posture. To mitigate the risk of cybersecurity threats related to the use of third-party service providers, the Company obtains and reviews SOC reports from third parties when available, to provide assurance that the third-party has appropriate controls in place and has not identified any significant cyber issues. As discussed in Item 1A "Risk Factors" on or about February 14, 2026, the Company detected the Cyber Incident. Upon detecting the Cyber Incident, the Company began taking steps to assess, contain, and remediate the unauthorized activity, including isolating the affected systems and launching an investigation with the assistance of external cybersecurity advisors. Through the Company's efforts, the Company believes that the third party responsible for the Cyber Incident has been removed from the Company's IT systems, and the Company's ability to access information impacted by the Cyber Incident has been restored in all material respects. The incident appears to have impacted many but not all of the Company's IT systems and affected functions such as billing and label making for customer deliveries. Certain Company or Company-related data appear to have been stolen or destroyed. As a result of the Company's contingency plans and data backup systems, the Company had implemented planned solutions for the issues posed by the incident. The Company's operations have continued since the detection of the Cyber Incident in all material respects. Although the Company has ascertained that certain files were exfiltrated, it is still investigating the extent of any sensitive information contained in the accessed systems, including whether any personal information was exfiltrated. It is evaluating what legal and regulatory notifications and filings may be required as a result of this incident and will make such filings as are required based on its findings. The Company continues to investigate the nature and scope of the unauthorized access. The Company currently expects that a significant portion of its direct costs incurred relating to containing, investigating and remediating the cybersecurity incident will be reimbursed through insurance recoveries though there is no assurance these recoveries will be adequate. As of the date hereof, the Cyber Incident has not had a material impact on the Company's financial systems, operations or financial condition, and, while the Company's investigation and assessment of this incident is ongoing, the Company does not believe the Cyber Incident is reasonably likely to materially impact the Company's financial condition or results of operations. The Company does not believe that any risks from cybersecurity threats such as the Cyber Incident have materially affected or are reasonably likely to affect our business strategy, results of operations, or financial condition. See Item 1A "Risk Factors" for a summary of certain cybersecurity risks, including the risks under the headings "Security breaches, including cybersecurity incidents and other disruptions could compromise our information, expose us to liability and harm our reputation and business" and "We experienced a material information technology ("IT") systems incident in February 2026, which could result in a number of potentially unknown outcomes, including but not limited to, litigation, regulatory investigations or enforcement actions, or reputational harm, any of which could have a material impact on our business operations, financial condition, or results of operations." Governance General risk assessment and management oversight resides with the Company's Board of Directors. The Company's Audit Committee has oversight of financial risks and is in charge of reviewing the Company's information security disclosures and incident reporting related to cybersecurity. The Company's Board of Directors reviews the Company's information security procedures and evaluates management's assessment of materiality for cyber incidents. The Board of Directors is formally updated on cybersecurity risks no less than annually. Management is responsible for assessing and managing material risks from cybersecurity threats. This responsibility primarily resides with the VP of Information Technology and his qualified team, including dedicated cybersecurity personnel. The qualifications of the Information Technology team include a combination of formal education (e.g. Master's degrees in Cybersecurity and Information Assurance); CISSP and ISSMP certifications and, over 100 years of combined Information Technology experience. Management's process for monitoring prevention, detection, mitigation, and remediation of cybersecurity incidents is summarized above in the Risk management and strategy section. ]

Company Information