GENTEX CORP - (GNTX)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

The Company has implemented and maintain multiple layers of physical, administrative and technical security processes designed to protect our manufacturing facilities from disruptions that may result from cybersecurity incidents, as well as safeguard the confidentiality of our critical systems, and data residing on those systems, including employee data, customer data, and intellectual property. Our risk assessment and management of material risks from cybersecurity threats is integrated into our overall enterprise risk management process, as well as our information systems processes. Our strategy includes regular formal risk assessments, dynamic risk and threat analysis, utilization of security tools, regular cybersecurity-related tabletop and phishing exercises designed to simulate cybersecurity incidents, and frequent security awareness and technical security trainings. We conduct periodic internal and third-party assessments to evaluate our cybersecurity posture and test and assess our incident response program, incident roles and responsibilities, material impact evaluation, and decision-making processes in the event of a cybersecurity incident. We use our risk and security assessments to enhance our information security capabilities.

Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data, including an incident response policy, plan, procedures and scenario-based playbooks, an incident detection and response program, a vulnerability management program, disaster recovery and business continuity plans, risk assessment processes, security standards, network security controls, access controls, systems monitoring, employee awareness training and cybersecurity insurance. The Company has obtained Trusted Information Security Assessment Exchange (TISAX) certification labels within the United States and Germany.

Our internal information security team oversees and works collaboratively with various information security service providers. Our cybersecurity program incorporates external guidance and expertise through the use of third-party service providers to assist in the identification, assessment and management of risks specific to cybersecurity threats, including vendors providing threat intelligence, risk mitigation, dark web monitoring, external scanning and scoring, threat and reputation monitoring, forensics, cyber-insurance, advisory services and legal counsel.

We have an incident response plan that includes scenario-based playbooks for managing cybersecurity incidents and associated crisis communication procedures designed to facilitate coordination across the Company and with our partners, customers, the public and others.

For the year ended December 31, 2023, there have been no risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For a description of risks related to our information technology systems, including cybersecurity threats, see Item 1A, "Risk Factors."

Governance

Our Board addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board (the "Audit Committee") is responsible for overseeing our cybersecurity risk management processes, including our assessment and mitigation of material risks from cybersecurity threats. The Audit Committee receives regular reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from our information technology and cybersecurity experts. In addition, on at least an annual basis, the Board receives reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes.

Our cybersecurity risk assessment and management processes are implemented and maintained by our VP of Information Technology and Information Security Officer ("VP of IT"), who is supported by other members of management, as necessary. Our VP of IT is responsible for approving budgets, cybersecurity incident preparedness, approving cybersecurity processes, reviewing security assessments and other security-related reports, and providing the Chief Financial Officer ("CFO") with regular updates on cybersecurity-related matters. The Company also has an IT Executive Steering Committee comprised of the VP of IT, CFO, General Counsel, CTO and VP of Operations. The VP of IT provides regular cybersecurity updates to the audit committee. The Company's VP of IT has served in this role for two years and has more than 24 years of relevant experience. In addition, we have
17


an information security team comprised of dozens of employees dedicated to cybersecurity with extensive experience and relevant certifications. The VP of IT is responsible for hiring appropriate personnel, assisting with the integration of cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, and mitigating and remediating in the event of a cybersecurity incident.

Our cybersecurity incident response and vulnerability management programs are designed to escalate certain cybersecurity incidents to various levels of management depending on the circumstances, including our VP of Information Technology and Information Security Officer, General Counsel, CFO and/or Chief Executive Officer. Management works with our incident response team to help mitigate and remediate certain escalated cybersecurity incidents. In addition, our incident response and vulnerability management programs include reporting certain cybersecurity incidents to the Audit Committee and, in certain circumstances, to the Board.