SCI Engineered Materials, Inc. - (SCIA)

10-K Filing Date: February 09, 2024
ITEM 1C.CYBERSECURITY.

While we have never had a material cybersecurity incident that impacted our operations, we face various cyber and other security threats, including attempts to gain unauthorized access to sensitive information and networks; employee threats; virtual and cyber threats to our directors, officers, and employees; threats to the security of our facilities and infrastructure; and threats from terrorist acts or other acts of aggression. Our customers and vendors face similar threats. We utilize internal and external independent controls to monitor and mitigate the risk of these threats, including an outside independent Cybersecurity consultant, a Security Incident Response Plan (SIRP) and periodic Information Technology training for all employees.

Our SIRP is outlined as follows:

1.Preparation—perform a risk assessment, identify sensitive assets, and build a Computer Security Incident Response Team (CSIRT). Our team includes an outside IT Cybersecurity consultant that provides managed services on a regular basis.
2.Identification—monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
3.Containment—perform short-term containment, for example by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.
4.Eradication—remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
5.Recovery—bring affected production systems back online carefully, to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity.
6.Lessons learned—no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.

The impact of potential cybersecurity threats is difficult to predict, but one or more of them could result in the loss of information or capabilities, harm to individuals or property, damage to our reputation, loss of business, regulatory actions, and potential liability, any of which could have a material adverse effect on our financial position, results of operations and/or cash flows. These threats could lead to losses of sensitive information or capabilities, harm to personnel, infrastructure, or products, and/or damage to our reputation as well as our vendor’s ability to perform on our contracts.

Effective incident response involves every part of our organization, including IT teams, legal, technical support, human resources, corporate communications, and business operations. Our Board of Directors oversees all business, property and affairs of the Company, including cybersecurity risks. Our management keep the members of the Board informed of our business through discussions at Board meetings and by providing them with reports and other materials throughout the year.

14

Our CSIRT includes our independent outside cybersecurity consultant as our strategic lead and the consultant and Chief Financial Officer (CFO) lead the Incident Response Team. Our consultant is certified in cybersecurity and our CFO has overseen our IT for over twenty years.