ITEM 1C. CYBERSECURITY

 

The Company recognizes the importance of developing, implementing, and maintaining cybersecurity measures to ensure the security of our information systems and networks and the confidentiality, availability, and integrity of our data.

 

Risk management and strategy

 

The Company continues to build its culture of security and has integrated cybersecurity risk management into our broader enterprise risk management process. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes and operational practices. Our information technology department works closely with our senior management team to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.

 

 

The Company provides training to all employees that reinforces the Company’s information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The training assists employees with identifying potential cybersecurity risks and threats and how to protect the Company’s resources and information. This training is mandatory for all employees globally on a periodic basis, and it is supplemented by firmwide internal and external service providers testing initiatives, including frequent phishing tests.

 

In addition to the employee training program, the Company has created an information security incident response policy and team. The risks related to cybersecurity, including the effectiveness of our training programs, are monitored on an ongoing basis by our information technology department and external service providers. In addition, to assess the incident response policy, periodically the Company engages a third-party expert to oversee a cybersecurity incident response training exercise and to facilitate group discussions regarding the effectiveness of the Company’s cybersecurity incident response strategies and tactics.

 

Recognizing the complexity and evolving nature of cybersecurity threats, Gorman-Rupp engages with a range of external experts, including cybersecurity assessors, consultants, and auditors, in evaluating and testing our risk management systems. These external experts leverage their specialized knowledge and insights on cybersecurity to assess and enhance our internal policies and processes through regular audits, threat assessments, and consultation on security enhancements and strategies.

 

We have not encountered cybersecurity challenges that have materially impaired our operations or financial standing. See Item 1A. Risk Factors – General Risk Factors - Cybersecurity threats.

 

Governance

 

The Board of Directors believes that control and management of risk are primary responsibilities of senior management of the Company. As a general matter, the entire Board of Directors is responsible for oversight of this important senior management function. The Audit Committee is responsible to the Board for the organizational oversight of the Company’s comprehensive enterprise risk management plan, including cyber risks. The Audit Committee is composed of board members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.

 

Senior management plays a pivotal role in informing the Audit Committee on cybersecurity risks. The information technology department regularly informs the Chief Financial Officer (CFO) of all aspects related to cybersecurity risks and incidents. This ensures that senior management is kept abreast of the cybersecurity posture and potential risks. The senior management team presents updates to the Audit Committee quarterly and, as necessary, to the full Board. These regular reports include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents, if applicable.