Dorman Products, Inc. - (DORM)
10-K Filing Date: February 28, 2024
ITEM 1C. Cybersecurity
Risk Assessment
We depend on a variety of information systems and technologies (including cloud technologies) (collectively, “IT Systems”) to manage our business. We rely on these IT Systems to provide information for substantially all of our business operations, including supply chain, order processing, e-commerce, human resources, legal, compliance, marketing, finance, and accounting. Our core IT Systems consist mostly of purchased and licensed software programs that integrate together and with our internally developed solutions. As part of our overall enterprise risk management program, we monitor and assess the risks posed by cybersecurity threats to those internal and external systems and solutions and maintain an information security program designed to mitigate such risks.
Our information security program includes development, implementation, and improvement of policies and procedures to safeguard information to help ensure availability of critical data and systems. To the extent we utilize third-party vendors to provide information technology services for various areas, including human resources functions (e.g., payroll), we generally require these vendors to monitor and protect their information technology systems against cyber-attacks and other breaches. The Company's technology environment is managed by an experienced team of professionals who follow an extensive set of policies and procedures related to data security. Our program further includes review and assessment by external, independent third parties, who assess and report on our internal incident response preparedness and help identify areas for continued focus and improvement. With the assistance of one such reputable third party, the Company conducts biannual maturity assessments of its IT Systems against the National Institute of Standards of Technology (NIST) Cybersecurity Framework. We also carry insurance that provides protection against the risks from
23
cybersecurity threats. To our knowledge, during fiscal 2023, there were no material cybersecurity incidents or threats that materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition.
Governance
Pursuant to its charter, the Audit Committee of the Board of Directors (the “Board”) has oversight of the Company's information security program, including, but not limited to, risks regarding cybersecurity threats. In particular, the Audit Committee reviews with management the Company’s key IT Systems and evaluates the adequacy of the Company’s information security program, compliance, and controls.
The Company's Senior Vice President and Chief Information Officer (“CIO”), who reports to the Company’s Chief Executive Officer, is responsible for the operation of the Company’s information security program. Our CIO is an IT veteran with over 25 years of experience in building and maturing cyber programs for large public companies. The CIO is supported by an internal team of certified security analysts that work in conjunction with leading security operations managed service providers to manage detection and response.
On at least an annual basis, a cyber risk report that highlights program governance, risks, and opportunities is provided to the Audit Committee and the full Board.
The Company maintains a Security Committee, which is led by the CIO and is comprised of individuals from the Company’s IT department – including dedicated security team members with various security certifications. The Security Committee regularly reviews information security program governance and key performance indicators. These reviews typically include the number of events, number of investigations, mean response time, and cyber trends. The Security Committee oversees the Company’s security roadmap and ensures monitoring of information security policies and procedures covering areas such as back-up and retention, acceptable use, disaster recovery, incident management, and passwords.
The success of the Company’s information security program relies not only on ownership by the CIO’s organization but also an active and collaborative relationship within the business. The Company requires all employees to complete cyber training annually. For fiscal 2023, the Company maintained a security learning management system with phishing simulations distributed regularly to enhance cyber resiliency. Additionally, the Company leverages communications, contests, policies, videos, and visuals to continuously raise awareness among employees.
24