DUCOMMUN INC /DE/ - (DCO)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
We have an enterprise-wide approach to addressing cybersecurity risk, including input and participation from management and support from our Information Technology (“IT”) Steering Committee that is comprised of our Senior Vice President Electronic and Structural Systems, Chief Financial Officer, General Counsel, Chief Human Resources Officer, Vice President Supply Chain Management, and Chief Information Security Officer (Head of IT and Cybersecurity or “CISO”). Our cybersecurity risk management program leverages the National Institute of Standards and Technology (“NIST”) Framework which augmented with Cybersecurity Maturity Model Certification (“CMMC”) components to meet our particular needs. We regularly assess the threat landscape and take a holistic view of the cybersecurity risks, with a layered cybersecurity strategy based on protection, detection, and mitigation. Our IT security team, which is comprised of internal resources, reviews enterprise risk management-level cybersecurity risks at least annually.
Our CISO is responsible for developing, implementing, and maintaining our information security strategy and program, as well as reporting various cybersecurity risk matters to our IT Steering Committee, and the Board’s Innovation Committee. The Innovations Committee is a subset of the full Board of Directors which receive regular updates on our cybersecurity program.
Our CISO has over 17 years of experience leading cybersecurity oversight for several companies and is updated on cyber events related to the monitoring, prevention, detection, mitigation, and remediation efforts from our IT security team. The IT
22
security team have broad cybersecurity expertise or industry certifications and are knowledgeable in the use of cybersecurity tools and software. In addition, third-party cybersecurity services are used to augment our in-house capabilities, as needed.
We continue to expand investments in IT security, including additional end-user security awareness training, using layered defenses, identifying and protecting critical systems, strengthening monitoring and alerting, and engaging experts as needed. We also use an industry standard risk quantification model to identify, measure, and prioritize cybersecurity risks. This in turn, helps us develop and implement effective security controls and technology defenses. In addition, all employees are required to complete various cybersecurity trainings on a regular basis. Further, we perform periodic simulations and tabletop exercises with the IT security team and will continue to expand its participants as appropriate. Our assessment of risks associated with the use of third party providers on a limited basis is part of our current overall cybersecurity risk management approach. As the threats and attacks are becoming more sophisticated, we will modify and enhance our cybersecurity program as needed.
As a defense contractor, we must also comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement (“DFARS”) related to adequately safeguarding controlled unclassified information (“CUI”). The Department of Defense (“DoD”) will require defense contractors to comply with its CMMC program in the future. We are incorporating the requirements of the CMMC program into our overall cybersecurity program and anticipate we will be in position to meet such requirements when it becomes effective.
Cybersecurity threats, including as a result of any previous cybersecurity incidents have not materially affected or are not reasonably likely to materiality affect us, including our business strategy, results of operations or financial condition. See “Cybersecurity attacks, internal system or service failures may adversely impact our business and operations” in Risk Factors included in Part I, Item 1A of this Form 10-K. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, implementing additional threat protection measures, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with third-parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventive measures. For more information regarding the risks we face from cybersecurity threats, please see Risk Factors included in Part I, Item 1A of this Form 10-K.