Manitex International, Inc. - (MNTX)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

The Company recognizes the critical importance of identifying, assessing and managing material risks from cybersecurity threats. We have an enterprise-wide cybersecurity risk management program to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner.

Our cybersecurity risk management program leverages the Center for Internet Security (CIS) framework. This includes the CIS Risk Assessment Method (CIS RAM) and CIS Controls Self-Assessment (CSAT). We are implementing CIS Critical Security Controls to assess and strengthen our risk management and cybersecurity posture against an evolving threat landscape.

Key elements of our cybersecurity risk management program include:

The formalization and implementation of enterprise-wide IT and Information Security Policies which include encryption standards, antivirus protection, vulnerability management and reporting, multifactor authentication, granting and removing of access, confidential information, credential standards, and the baseline hardening of devices;
Conducting vulnerability assessments and penetration tests;
Enhancement of segregation of duties to mitigate the risk of self-review of transactions within the system;
Revision of user access request documentation to clearly define the roles and permissions assigned to users;
Thorough review of the accuracy and completeness of user listings and access;
Monthly evaluations to identify and assess cybersecurity risk to our enterprise information technology environment;
Continued collaboration with external specialists to aid in the ongoing evaluation of existing policies and assess, test or otherwise assist with aspects of our security controls; and
General cybersecurity training for all employees and role-based specialized training for certain roles to enhance the awareness of shared responsibility for cybersecurity risk management.

We continue to face multiple cybersecurity risks, and, in the past, we have had minor incidents. None of the prior incidents had a material effect on our reputation, business strategy, results of operations or financial condition. For more information on the cybersecurity threats and risks we face, see Part I, Item 1A. – Risk Factors.

Cybersecurity Governance

The Board of Directors has delegated the oversight of cybersecurity risk to the Audit Committee. The Audit Committee oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our CFO, regularly briefs the Audit Committee on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.

Through our IT Steering Committee, the Director of Global IT provides regular reports to the CFO on cybersecurity metrics and any cybersecurity incidents. The Company’s Director of Global IT is responsible for developing and implementing the information security program and reporting on cybersecurity matters to the CFO and the IT Steering Committee. Our IT Steering Committee is comprised of representatives from Information Security and Technology, Internal Audit and members of executive management. This committee meets periodically to discuss and review Manitex’s information security program and receives updates from the Information Security and Technology Department and Internal Audit Department.

14

 

We have continued to expand our security controls, investment, and oversight of our cybersecurity program. The Information Security and Technology management team regularly monitors alerts and reviews the resolutions. We regularly test and review our defenses by performing internal tests, including phishing and vishing tests, external red team penetration testing, and by reviewing our operational policies, procedures, and controls with third-party experts. Prior to engaging a third-party vendor, IT management reviews and approves service organizational control reports. The review of vendor SOC reports for existing vendors is completed annually. Tests, reviews, and assessments are important tools for properly maintaining a robust cybersecurity program.

Back SEC Filing