Mayville Engineering Company, Inc. - (MEC)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity.

The Company is committed to maintaining a strong cybersecurity posture devoting significant resources to cybersecurity and risk management processes to adapt to the rapidly evolving landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program aligns with the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. The Company has designed and implemented cybersecurity policies and procedures for identifying and managing material risk from cybersecurity threats, both internally and related to the use of third-party service providers. We use various tools and methodologies to manage cybersecurity risk that are tested on a regular basis. At the tactical level, our information technology (IT) security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The Company monitors and evaluates our cybersecurity position and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. Additionally, the Company maintains a formal information security training program for all employees that includes training on matters such as phishing, email security best practices and data privacy. To evaluate and enhance our cybersecurity program, it is regularly evaluated by external experts with the results of those reviews reported to senior management and the Audit Committee. We also actively engage with key vendors, industry participants and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.

Oversight of cybersecurity risk is maintained by the Company’s Board of Directors and is supported by the Audit Committee of our Board of Directors (Audit Committee). The Audit Committee is primarily responsible for overseeing our design, execution and administration of the Company’s enterprise risk management process, and with regard to cybersecurity risks, setting expectations and accountability for management and reviewing management’s assessment of the effectiveness of our cybersecurity controls, including policies and procedures to address our cyber risks and overseeing the Company’s cybersecurity disclosures. The Company’s information security program is managed by the Company’s Director of IT, whom reports to the Chief Financial Officer (CFO), and whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The Director of IT periodically briefs the Audit Committee and our CFO, as well as our Chief Executive Officer, other members of the Board of Directors and other members of our senior management as appropriate. These reports include, but are not limited to, new developments, evolving standards, vulnerability assessments, third-party and independent reviews, threat environment summaries and technological trends. When applicable, the Audit Committee and other members of the Board of Directors also receive prompt information from the CFO regarding any material cybersecurity incident and appropriate ongoing updates thereto.

As of the date of this report, the Company is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, our business strategy, results of operations or financial condition. However, there can be no assurances that a cybersecurity threat or incident that could have a material impact on the Company will not occur in the future. In response to the rapidly evolving cyber threat environment, the Company continues to invest in data security and system resiliency. See also Item 1A, “Risk Factors” for additional discussion regarding risks related to information technology systems.

26