NACCO INDUSTRIES INC - (NC)

10-K Filing Date: March 06, 2024
Item 1C. CYBERSECURITY

The Company maintains a cybersecurity program that is aligned with its business and has established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, which have been integrated into its overall risk management processes and governance structure.

The Company has implemented and invested in, and will continue to implement and invest in, controls, technologies, and resources (both internal and external) that are designed to identify, protect against, detect, respond to and mitigate cybersecurity risks, in alignment with frameworks established by the National Institute of Standards and Technology. These include, but are not limited to, internal reporting mechanisms, monitoring and detection tools, threat intelligence, and general and role-based training. The Company also maintains third party management processes to identify and manage the cybersecurity risks
29

associated with third party service providers. The Company periodically evaluates its cybersecurity program internally and by engaging with consultants to conduct reviews and assessments of the program. Such reviews and assessments may include penetration testing, maturity assessments as well as table-top and other exercises with subsequent remediation of key findings. Additionally, the Company has a Cybersecurity Task Force in place that is comprised of individuals across various departments within the organization including information systems, legal, finance, human resources and internal audit which meets regularly to further advance the Company’s cybersecurity strategy.

The Board of Directors (the “Board”) oversees NACCO's risk management. The full Board regularly reviews information provided by management to oversee risk identification, risk management and risk mitigation strategies. The Audit Review Committee assists the Board with cybersecurity risk oversight. The Audit Review Committee is responsible for regularly reviewing and discussing with management risk exposure relating to cybersecurity, which includes reviewing the state of the Company's cybersecurity program and emerging cybersecurity developments and threats, as well as the steps management has taken to monitor and mitigate such exposure. In 2023, the Board and the Audit Review Committee received periodic updates throughout the year on cybersecurity matters and these updates are part of their standing agendas.

The Company’s Chief Information Security Officer ("CISO") leads the Company’s cybersecurity program and is responsible for the management of its cybersecurity risks. The CISO has extensive cybersecurity knowledge and skills gained from over 30 years of technical and business experience, including as General Manager & President of MLMC, Vice President of Mississippi Operations and Vice President of Innovation & Technology. The CISO holds a bachelor’s degree in engineering, an executive MBA, and certifications in cybersecurity from Harvard. Additionally, the CISO is currently enrolled in an Executive course through Northwestern’s Kellogg School of Management focused on artificial intelligence (“AI”). The CISO reports directly to the President and Chief Executive Officer. The CISO manages a team of internal and external resources that have expertise and experience in cybersecurity. The CISO is informed of cybersecurity incidents by the cybersecurity team, which is generally responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Company has an established process governing its assessment, response and internal and external notifications upon the occurrence of a cybersecurity incident, including evaluation of the potential impacts of cybersecurity incidents to determine materiality. Depending on the nature and severity of an incident, this process provides for escalation procedures upon discovery of material cybersecurity risks, including notification to the Company’s executive management and/or Board.

As of the date of this filing, the Company’s business strategy, results of operations, and financial condition have not been materially impacted as a result of any previously identified cybersecurity incidents; however, we cannot provide assurance that they will not be materially impacted in the future by such risks or any future material incidents. For additional information regarding the Company’s cybersecurity risks, please refer to "Item 1A - “Risk Factors” on page 19.
30