MARINE PRODUCTS CORP - (MPX)

10-K Filing Date: February 28, 2024

Item 1C. Cybersecurity

Risk Management and Strategy

18

Marine Products approaches cybersecurity as an enterprise-wide risk and has created a Cybersecurity Risk and Compliance Program that outlines governance programs in place and outlines efforts undertaken to mitigate cyber risks. We have implemented policies and processes designed to detect, prevent, and respond to cybersecurity incidents. To help guide its overall program, the Company uses the Center for Internet Security (CIS) Controls framework to provide best practices for securing IT systems and data. We have implemented a majority of version 8.0 of the CIS Controls which supports a Zero Trust architecture.

The Company has several security policies that are published and accessible to all employees. All these policies are reviewed annually and updated as needed to address emerging risks or gaps in compliance. Marine Products has not experienced a material cybersecurity incident to date. If a material cybersecurity breach occurs, the incident will be reviewed to determine whether further escalation is appropriate. Any incident assessed as potentially being or becoming material will immediately be escalated for further assessment and reported to designated members of our executive leadership team and if deemed necessary, the Board of Directors. We plan to consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and make the final materiality determination regarding disclosure and other compliance decisions. We also plan to keep our independent public accounting firm informed of such incidents as appropriate. While the Company is currently self-insured for cybersecurity risks, we are evaluating a cyber liability insurance policy that may provide coverage for expenses, business losses, business interruption, and fines and penalties associated with a data breach or other similar incident. The Company has a periodic touchpoint with all third-party information technology service providers to identify materials risks from cybersecurity threats.

Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks see Item 1A Risk Factors of this Annual Report on Form 10-K.

Governance

Role of the Board

The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage, and mitigate risk, at least annually. The Board has delegated its responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee includes members with experience in risk management including cybersecurity.

Role of Management

Company management has established a Cybersecurity Governance Committee that is comprised of the Information Technology Manager and senior members of management. The Committee meets periodically to discuss cybersecurity program updates and challenges, watch for potential threats from both external and internal sources, monitor compliance in existing or emerging business practices, and respond to stakeholder inquiries. The Information Technology department is comprised of professionals with extensive expertise and led by its manager with over 20 years of experience in various aspects including cybersecurity. The manager is continuously monitoring trends and stays current with the various cybersecurity threats and related mitigation opportunities. The Company periodically engages a third-party service provider to perform an external vulnerability scan of the Company network to identify known threats and to date no critical vulnerabilities have been identified during these assessments.

19