ACME UNITED CORP - (ACU)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity

We understand the critical importance of cybersecurity and proactively manage vulnerabilities to ensure the confidentiality, integrity, and availability of our information assets. While we have not experienced any material risks from cybersecurity incidents to date, we recognize the evolving threat landscape and maintain a vigorous security posture. Materiality of individual cybersecurity incidents is determined by a comprehensive assessment framework considering, but not limited to, the following factors:

Impact on Business Operations: Potential disruptions to critical systems, services, or financial transactions.
Data Sensitivity: The nature and sensitivity of the data involved, with incidents concerning personally identifiable information or highly confidential data deemed more material.
Regulatory Compliance: Potential violations of cybersecurity laws, regulations, or industry standards.
Reputational Risk: Harm to the Company's reputation, customer trust, and brand value.
Legal Obligations: Legal requirements for reporting incidents and potential consequences of non-compliance.

Identification, Assessment of, and Response to Cybersecurity Threats

We employ a multi-layered approach to identify, assess, and report potential cybersecurity threats:

Threat intelligence tracking: We actively monitor relevant-threat intelligence feeds and other sources to stay informed about emerging threats and vulnerabilities.
Managed Detection and Response (“MDR”) partnership: We have partnered with a recognized third-party MDR provider to enhance our threat detection and response capabilities. This service provides continuous monitoring via a 24/7 Security Operations Center that includes next-gen solutions for analysis, and proactive response to potential threats, ensuring timely identification and facilitating mitigation of cybersecurity incidents.
Metrics and Measurements: We capture telemetry from our IT infrastructure to measure the effectiveness of our security controls and identify areas for improvement.

Risk Management and Strategy

Although we develop and maintain systems and controls designed to prevent cybersecurity breaches from occurring, and we have a process to identify and minimize threats, the possibility of a breach occurring cannot be eliminated entirely. As with most companies, as a result of our moves toward cloud-based technologies and increasing engagements in more electronic transactions with service customers and vendors, the related security risks will change and/or increase requiring us to adapt and employ additional resources to protect our technology and information systems.

Our cybersecurity risk management program utilizes the National Institute of Standards and Technology (“NIST”) 800-37 framework as a foundation, to align with our entity size, risk profile, and industry best practices. We believe that leveraging the NIST framework as a foundation ensures a balanced approach for minimizing vulnerabilities while maintaining operational efficiency. We maintain a comprehensive incident response plan with clearly defined roles and responsibilities. In the event of an incident, the plan prescribes notification procedures, containment measures, eradication steps, and recovery processes. We also conduct annual reviews to ensure the plan's effectiveness. Based on Cybersecurity Infrastructure Security Agency (CISA) modeling, we are currently planning our 1st Tabletop exercise of 2024 with the help of third-party specialists, which is expected to be completed in the second quarter of 2024. Our Tabletop exercises include cybersecurity-based scenarios that incorporate various cyber threat categories including ransomware, insider threats, phishing, and physical disasters. Additionally, as in prior years, this year we will perform vulnerability assessments and penetration testing through third party providers for an objective assessment.

Third-Party Service Providers

15

 

We consider security related factors when choosing and working with third-party providers and have established processes to oversee and manage risks associated with third-party service providers. We require providers to share their security reports (System and Organization Controls (SOC 1 and SOC 2) prior to initial engagement and ongoing on an annual basis. We believe that the review of such reports helps us minimize the risk of data breaches or other problems resulting due to our third-party relationships, especially with software-as-a-service (“SaaS”) providers.

Reporting

We have a communication process for incidents based on their severity as outlined in our incident response plan and pursuant to various regulatory and contractual obligations. When a high risk incident or potential high risk incident is detected by our Security Operation Center or otherwise, executive leadership is immediately informed. The cybersecurity audit committee is notified, and the Chief Information Officer, in consultation with our Security Operation Center submits a detailed report to senior management. For moderate risk incidents, there is prompt notification, and a detailed report would be prepared and submitted. If a cybersecurity incident is deemed material, it will be reported promptly under SEC rules.

Management and Board of Director Oversight of Cybersecurity Threats

The Company's Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer that comprise our cybersecurity audit committee, as well as the Board of Directors has responsibility for the oversight of cybersecurity threats and incidents and reviews the Company’s programs and policies on an annual basis. The Company’s Chief Information Officer has specific tactical & strategic responsibilities in overseeing technology infrastructure and cybersecurity.

16

 

Back SEC Filing