NN INC - (NNBR)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Cybersecurity Overview
We rely on proprietary and third-party information systems to process, transmit and store information and to manage or support our business processes. We store and maintain confidential financial and business information regarding us and persons with whom we do business on our information technology systems. We also collect and hold personally identifiable information of our employees in connection with their employment. In addition, we engage third-party service providers that may collect and hold personally identifiable information of our employees in connection with providing business services to us, including web hosting, accounting, payroll and benefit services.
Cybersecurity Governance
The protection of the information technology systems on which we rely is critically important to us. The Audit Committee of the Board of Directors has oversight for the reliability and security of our information systems, including identifying material risks and cybersecurity threats arising in our business. The Audit Committee receives updates from management of the ongoing cybersecurity initiatives and events at least once per quarter. In the event of a material cybersecurity incident, management will notify the Cybersecurity Sub-Committee of the Board of Directors, which will provide oversight for the Company’s response and mitigation to the incident.
Our Chief Financial Officer is responsible for the management of the Company’s information systems and oversees the Company’s information technology team (“IT Team”). The IT Team has in place documented procedures for cybersecurity response plans, which are reviewed annually or as events warrant. The IT Team utilizes third party security experts to provide continuous external penetration testing, conduct security reviews, and to provide a managed security operations center that does 24/7 monitoring as well as provide additional resources for threat and incident response activities.
Cybersecurity Risk Management and Strategy
We employ a multi-layered approach to protect our information systems from cybersecurity threats. We have around the clock security operations center coverage that uses an industry leading security information and event management tool to aggregate and analyze data and provide immediate alerts for any breaches. All hardware within our information systems run an industry-standard anti-virus solution, and we have an established patching program in place to keep security updates current. Penetration testing is conducted by an outside party on a continual basis, resulting in rapid discovery and remediation of any potential weaknesses. To ensure employee compliance with our processes, we require yearly cybersecurity training and conduct phish testing, including simulated phishing attempts, multiple times per month. Additional training is assigned to employees as deemed necessary to reduce the risk of cybersecurity threats. In case of a cybersecurity incident, we maintain a cybersecurity insurance policy to reduce any direct costs that could be incurred.
A cybersecurity incident could interrupt our operations, result in downtime, divert our planned efforts and resources from other projects, damage our reputation and brand, damage our competitive position, subject us to liability claims or regulatory penalties under laws protecting the privacy of personal information. Although impacts of past cybersecurity incidents have been immaterial to date, the impacts of such events in the future may materially and adversely affect our business, financial condition, or results of operations.
19