Mativ Holdings, Inc. - (MATV)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
26



Risk management and strategy

We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. Our enterprise risk management system incorporates risks from cybersecurity threats alongside other risks to the company. We employ a range of tools and services to inform our assessment, identification and management of material risks from cybersecurity threats, which include from time to time:

monitoring emerging data protection laws and implementing responsive changes to our processes;
undertaking periodic reviews of our policies with customers, partners, and suppliers and statements related to cybersecurity;
conducting cybersecurity management and incident training for employees involved in our systems and
processes that handle sensitive data;
conducting phishing email simulations for employees and contractors with access to corporate email
systems;
requiring employees, as well as third-parties who provide services on our behalf, to treat information and
data with care; and
educating our teams on incident response, conducting tabletop exercises and using the findings to improve our processes and technologies.

We maintain a cybersecurity incident response plan designed to secure the enterprise, mitigate the impact of an incident, restore normal business operations, prevent similar future incidents and comply with applicable regulatory obligations arising from an incident. As part of the above process, we periodically engage with consultants and other third-parties, including annually having a third-party perform penetration testing and review our cybersecurity program to help identify areas for improvement and/or compliance. The Company’s cybersecurity procedures have been developed based on the National Institute of Standards and Technology ("NIST") cybersecurity framework. We also engage with a third-party security operation center to assist in monitoring our cybersecurity risk environment. Our risk management processes also address cybersecurity threat risks associated with our use of third-party service providers.

For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, see “Part I, Item 1A. Risk Factors -- A failure of, or a security breach in a key information technology system or process or other unusual events could compromise our information and expose us to liability, which could adversely affect our business; IT project delays and overruns are possible” which is incorporated by reference into this Item 1C.

As previously disclosed, during the three-month period ending September 30, 2022, the Company became aware of a cyberattack that had been recently made against certain systems within the Company’s network environment. The attack temporarily affected operations and caused delays in execution of sales transactions at some locations. In addition, the Company incurred financial costs to investigate and remediate the incident, some of which are expected to be mitigated by insurance. During the incident, the attackers accessed and exfiltrated Company data, including some personally identifying information of certain Company employees. The Company believes it has contained the incident, which only affected certain systems, and it has restored operations and notified affected individuals. The Company has put in place remediation measures designed to help prevent future similar attacks and has proactively undertaken to implement certain other enhancements to its security system.

Governance

Oversight of cybersecurity risk is a joint responsibility of the Board of Directors and the Audit Committee. The Company’s Chief Information Officer (the “CIO”) provides quarterly updates to the Audit Committee and the chair of the Audit Committee regularly updates the Board of Directors on cybersecurity matters potentially impacting the Company. Additionally, the CIO briefs the Board of Directors on information security matters at least annually.

In addition to oversight by the Audit Committee and the Board of Directors, our CIO chairs a Working Council that includes our Chief Financial Officer, Chief Human Resources and Communications Officer and our Chief Legal and
27


Administrative Officer. Our IT organization also includes a Chief Information Security Officer who is responsible for establishing processes as well as management of all cyber security risks and programs to mature our NIST posture. Our CIO has served in this role since 2023 and has more than 30 years of experience in the aggregate in various IT leadership roles. His educational background includes a master’s in business administration in Information Systems from The State University of New York at Albany, and a bachelor’s degree in electrical engineering from Harcourt Butler Technological Institute, Kanpur, India.
28