VIRCO MFG CORPORATION - (VIRC)

10-K Filing Date: April 12, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Our business is substantially dependent upon our computer systems, devices and networks to collect, process and store the data necessary to conduct most aspects of our business. We have developed and maintain a cybersecurity program, which includes people, processes, and technology aimed at defending our computer systems, devices and networks against increasingly sophisticated threats. Cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity risk management program is designed to align with industry best practices and is fundamentally based on the framework established by the National Institute of Standards and Technology (“NIST”) for handling cybersecurity threats and incidents, including threats and incidents associated with the use of applications and services provided by third parties. The NIST framework facilitates coordination across different departments of the Company and includes steps for assessing the severity of a cybersecurity threat, identifying the source of a threat, including whether the threat is associated with a third-party service provider, implementing countermeasures and mitigation strategies, and informing management and the Board of Directors of material cybersecurity threats, incidents, and impact.

Our cybersecurity team is under the direction of the Chief Operations Officer and VP of Technology and Information Security, who are responsible for assessing, deploying, and managing the cybersecurity risk management program. Recognizing the complexity and evolving nature of cybersecurity threats, the cybersecurity team engages with a range of independent third party experts, including cybersecurity assessors and consultants in evaluating and testing our risk management systems. Our collaboration with these independent third parties includes regular threat assessments, such as penetration tests and table-top exercises, and consultation on security enhancements. In addition, the cybersecurity team provides training to applicable members and ongoing cybersecurity education. The Company also maintains cyber risk insurance to help cover costs associated with data breaches and cyberattacks. We evaluate and assess the capabilities of third-party service providers depending on the
22

products and services provided and the potential for data exchange and technology risk. We also receive and review independent assessments of security threats from our major service providers.

We regularly assess, identify and manage our material risks from cybersecurity threats by employing the following:

Identification of critical systems – we seek to identify which operational or information technology, if compromised or exploited, would result in operational disruption or data compromise. We aim to protect the entire environment at an enterprise level where practical, combined with additional layered, risk-based controls designed to safeguard against cybersecurity threats. This strategic, defense-in-depth, and risk-based approach to cybersecurity provides a methodology designed to identify, protect, detect, respond, and recover from cybersecurity incidents.

Network segmentation – we use a combination of firewalls and routers to provide network segmentation seeking to provide us with network zone protection.

Access controls – we leverage several security capabilities to attempt to enforce access, authorization and authentication to relevant systems, technology, and controls. A least-privilege methodology is applied for localized client workstations, servers, and applications. Security capabilities for access control include physical, administrative, and technical controls that combine to provide a defense-in-depth approach designed to protect our cyber assets from unauthorized use.

Continuous monitoring, detection, and auditing – we employ various technologies, tactics, and procedures aimed to continuously monitor, baseline, and detect threats, and audit our network and systems. In addition, we use a combination of technology tools with outside managed security service providers designed to capture, analyze and respond to security anomalies.

Patch management – we use a network vulnerability scanning tool that continually scans, and reports identified vulnerabilities in servers and workstations in certain networks. Vulnerability scanner reports are used to drive patching and remediation efforts and are also used as a tool to evaluate the effectiveness of efforts to seek to ensure patches are applied timely. Application and infrastructure subject matter experts subscribe to various third-party vendor security notifications to receive proactive notifications on, among other things, bugs, security flaws and mitigations, related to operational and information systems.

Cybersecurity Governance

Our Board of Directors oversees the execution of our cybersecurity strategy and the assessment of cybersecurity risks, along with the actions that we take seeking to mitigate and address those cybersecurity risks. The Board has delegated primary oversight of cybersecurity risks to the Executive Team and Lead Independent Director, who also reports material cybersecurity risk to the full Board of Directors as necessary. The Board of Directors is responsible for ensuring that management has processes in place that are designed to identify and evaluate cybersecurity risks to which the Company is exposed and implement programs to manage cybersecurity risks and mitigate cybersecurity incidents.

Management under the Chief Operations Officer and VP of Technology and Information Security are responsible for identifying, considering, and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential risk exposures are monitored, implementing appropriate mitigation measures and maintaining cybersecurity programs. The Chief Operations Officer and VP of Technology and Information Security and cybersecurity team members are experienced information security professionals, many of whom hold professional certifications and many years of experience in the field.

The Chief Operations Officer and VP of Technology and Information Security receive periodic reports from the cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Appropriate procedures for communication to the Executive Team are also built into the incident response plan.

The Chief Operations Officer and VP of Technology and Information Security provide regular updates to the Executive Team and the full Board of Directors on the Company’s cybersecurity risk management program, material cybersecurity risks, and mitigation strategies. Management provides the Executive Team with cybersecurity reports that cover, among other topics, third-party assessments of the Company’s cybersecurity risk management program, developments in cybersecurity, and updates to the Company’s cybersecurity risk management program and mitigation strategies.

Cybersecurity Threats

As of the date of this Annual Report, we are not aware of any cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. We acknowledge that
23

cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See "Item 1A. Risk Factors - Failure in our information technology and storage systems or cybersecurity incidents could adversely affect our business." for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.