COMPX INTERNATIONAL INC 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

COMPX INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 16:15:53 EST.

Filings

10-K filed on 2026-03-04

COMPX INTERNATIONAL INC filed a 10-K at 2026-03-04 16:15:53 EST
Accession Number: 0001104659-26-023463

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the importance of proactively assessing, identifying and managing material risks associated with cybersecurity threats. These risks include, among other things: operational disruptions, intellectual property theft, fraud, extortion, harm to employees or customers and violations of data privacy or security laws. Our cybersecurity program is built on both operational and compliance foundations. The operational component focuses on continuous monitoring, detection, prevention, measurement, analysis and response to cybersecurity threats and incidents, including emerging risks. The compliance component provides oversight through risk-based controls designed to protect the confidentiality, integrity and availability of company data stored, processed or transmitted. Our cybersecurity program is fully integrated into our enterprise-wide risk management framework. Our cybersecurity program is led by our director of information technology (IT), who is ultimately responsible for developing and executing our overall information security strategy, policies, security engineering, operations and cyber threat detection and response. Our director of IT has extensive information technology and program management experience and leads a team with significant tenure and familiarity with our organization. Our director of IT reports to our vice president in charge of coordinating operational activities within our business segments. Our cybersecurity risks are also reviewed and tested annually through third party assessments and internal and external information technology audits. Our information technology team reviews cybersecurity risks at least annually, integrating findings into strategic risk assessments and applicable corrective action plans. We continually enhance our cyber defense strategy with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously bolstering our system resilience in an effort to minimize the business impact should an incident occur. Third parties also play a role in our cybersecurity posture. We engage reputable third-party security firms to provide guidance on industry best practices and regulatory standards, to support proactive and reactive cybersecurity efforts, and to conduct periodic evaluations of our cybersecurity posture, such as through penetration testing and security audits; these evaluations include testing both the design and operational effectiveness of our security controls. All company employees are required to complete cybersecurity training at least once a year and have access to more frequent cybersecurity training through periodic informational updates. Employees in certain roles also receive additional role-based, specialized cybersecurity training. We have a Cybersecurity Incident Disclosure and Controls Committee (CIDAC) which is central to the response and evaluation of cybersecurity incidents. Our CIDAC is comprised of our director of IT and senior executives including our chief executive officer, chief financial officer and general counsel, and our executive vice president who is also the Contran chief information officer. Information security events and incidents are evaluated, ranked by severity and prioritized for response and remediation. The IT team is responsible for categorizing cybersecurity incidents, and those deemed high-risk or critical are escalated to the CIDAC for strategic review and response coordination. Incidents are evaluated to determine regulatory requirements, materiality and potential operational, financial and reputational impact. Our CIDAC performs simulations and tabletop exercises at a management level to evaluate our readiness and response to cybersecurity incidents. As needed, we collaborate with external cybersecurity experts and legal advisors to help ensure a robust response strategy. - 11 - Our board of directors oversees management's processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our chief executive officer and chief financial officer, provides regular updates to the board of directors on our cybersecurity posture, emerging threats and our risk mitigation efforts. Our board of directors is apprised of cybersecurity incidents deemed to have significant business impact, even if they are not material to us. The board has delegated some of its primary risk oversight to board committees, including that our audit committee facilitates the board's process of oversight of our overall risk management approach. Our full board retains oversight of cybersecurity because of its importance to us and visibility with our customers. We also maintain a documented incident response plan. In the event of an incident, we follow a structured incident response playbook, which outlines clear and defined steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (such as legal), senior leadership, our CIDAC and the board, as appropriate. We also conduct post-incident reviews to identify lessons learned and implement continuous improvements. We face multiple cybersecurity risks. To date, such risks have not materially affected us, including our business strategy, results of operations or financial condition. While we have not experienced any major breaches, we actively monitor and mitigate cyber threats, including phishing attempts, malware and targeted attacks. To date such incidents have been minor, isolated and promptly contained. For more information about the cybersecurity risks we face, see the risk factor entitled "Technology failures or cybersecurity breaches could have a material adverse effect on our operations." in Item 1A- Risk Factors.

Company Information