NN INC 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

NN INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 16:15:53 EST.

Filings

10-K filed on 2026-03-04

NN INC filed a 10-K at 2026-03-04 16:15:53 EST
Accession Number: 0000918541-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Overview We rely on proprietary and third-party information systems to process, transmit and store information and to manage or support our business processes. We store and maintain confidential financial and business information regarding us and persons with whom we do business on our information technology systems. We also collect and hold personal data of our employees in connection with their employment. In addition, we engage third-party service providers that may collect and hold personal data of our employees in connection with providing business services to us, including web hosting, accounting, payroll and benefit services. Cybersecurity Governance The protection of the information technology systems on which we rely is critically important to us. The Audit Committee of the Board of Directors has oversight for the reliability and security of our information systems, including identifying material risks and cybersecurity threats arising in our business. The Audit Committee receives updates from management of the ongoing cybersecurity initiatives and events at least once per quarter. In the event of a material cybersecurity incident, management will notify the Cybersecurity Sub-Committee of the Board of Directors, which will provide oversight for the Company's response and mitigation to the incident. Our Chief Financial Officer is responsible for the management of the Company's information systems and oversees the Company's information technology team ("IT Team"). The IT Team has in place documented procedures for cybersecurity response plans, which are reviewed annually or as events warrant. The IT Team utilizes third party security experts to provide continuous external penetration testing, conduct security reviews, and to provide a managed security operations center that does regular monitoring as well as provide additional resources for threat and incident response activities. Cybersecurity Risk Management and Strategy We employ a multi-layered approach to protect our information systems from cybersecurity threats. We have security operations center coverage that uses an industry standard security information and event management tool to aggregate and analyze data and provide alerts of potential breaches. Hardware within our information systems run an industry-standard anti-virus solution, and we have a patching program in place to keep security updates current. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats. For example, penetration testing is conducted by an outside party on a periodic basis, resulting in rapid discovery and remediation of potential 23 weaknesses. To ensure employee compliance with our processes, we require yearly cybersecurity training and conduct phish testing, including regular simulated phishing attempts. Additional training is assigned to employees as deemed necessary to reduce the risk of cybersecurity threats. In case of a cybersecurity incident, we maintain a cybersecurity insurance policy to reduce any direct costs that could be incurred. We use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management process to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. A cybersecurity incident could interrupt our operations, result in downtime, divert our planned efforts and resources from other projects, damage our reputation and brand, damage our competitive position, subject us to liability claims or regulatory penalties under laws protecting the privacy of personal information. Although impacts of past cybersecurity incidents have been immaterial to date , the impacts of such events in the future may materially and adversely affect our business, financial condition, or results of operations. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report, including " A security breach or disruption to our information technology systems, or those of the third parties with whom we work, could materially adversely affect our business, financial condition, results of operations and reputation ."

Company Information