Kimball Electronics, Inc. - (KE)

10-K Filing Date: August 23, 2024
Item 1C - Cybersecurity
We depend on information systems and technology in substantially all aspects of our business, including communications among our employees and with suppliers and customers. We recognize the significance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and products and protect the confidentiality, integrity, and availability of our data.
Cybersecurity Risk Management and Strategy
We have designed our cybersecurity risk management program and strategy to protect the confidentiality, integrity, and availability of our critical information technology systems and information. Our program is integrated into, and among the risks evaluated and considered by, our broader enterprise risk management program, through which we identify, assess, prioritize, and mitigate risks across the Company to support the achievement of our strategic objectives.
Managing Material Risks & Integrated Overall Risk Management
Cybersecurity is a critical part of our enterprise risk management. To address cybersecurity threats, we leverage a multi-layer approach, with our Audit Committee providing oversight and direction and our Chief Information Officer (“CIO”) leading a team that is responsible for forming our enterprise-wide information security strategy, training, policy, standards, architecture and processes to protect us against cybersecurity risks. Our program includes protocols for preventing, detecting, and responding to cybersecurity incidents, and cross-functional coordination and governance of business continuity and disaster recovery plans. Components of our program include:
a continuous, four-phase Enterprise Risk Management (ERM) process of risk program development, risk assessment and prioritization, risk response, and risk validation and monitoring designed to help identify cybersecurity threats to our critical IT systems, information, and our broader enterprise IT environment;
the periodic engagement of independent security firms and other third-party experts, where appropriate, to assess, test, and certify components of our cybersecurity program, such as penetration (pen) testing, and to otherwise assist with aspects of our cybersecurity processes and controls;
focused, annual, and mandatory risk management education for our employees and leaders, including cybersecurity awareness training, multiple cybersecurity and phishing awareness campaigns throughout each year, and tabletop exercises;
regular assessments of the design and operational effectiveness of the program’s key processes and controls by management, our internal audit team, and third-party experts; and
a risk management process for third-party service providers and vendors not under our direct control that includes pre-selection due diligence and validation, and post-selection periodic monitoring to manage cybersecurity risks and monitor adherence to applicable cybersecurity standards.
We utilize ISO 27001 to identify, assess and manage information security risk and maintain a compliant Information Security Management System (“ISMS”). Our global information security management program is ISO 27001:2013 certified.
20

Third Party Engagements for Risk Management
We engage a range of external experts, including cybersecurity consultants and auditors to support, evaluate and test our cybersecurity risk management systems. We engage a managed security service provider (“MSSP”) that provides continuous threat intelligence by monitoring our network and connected devices to detect attacks and indicators of potential attacks.
Our collaboration with other third parties includes regular audits of our ISO 27001 compliance, penetration testing, threat assessments, and consultation on security enhancements. These partnerships provide expert knowledge and insights which are designed to ensure our cybersecurity strategies and processes are appropriate.
Governance
The Board’s Role
The Board is responsible for overseeing overall risk management for the Company, including annual or more frequent review and approval of the Enterprise Risk Management approach and processes implemented by management to identify, assess, manage and mitigate risk. The Board has delegated certain responsibilities for oversight of the Company’s cybersecurity and information security framework, data protection, cybersecurity, and risk management to the Audit Committee of the Board. Our Board recognizes that cybersecurity protection is vital to maintaining our operations, and the trust of our business and supply chain partners, and of our Share Owners.
At each of their respective meetings, the Board and/or Audit Committee receive, and provide feedback on, reports on relevant data protection and cybersecurity matters. Additionally, two regular Board meetings each year and each Audit Committee meeting include additional, in-depth technology and cybersecurity briefings from senior members of our information technology department, internal audit function, and legal department. The topics covered by these reports and briefings include risk management strategies, data protection, ongoing risk mitigation activities, cybersecurity strategy, governance structure, and the results of security breach simulations.
Management’s Role
Our cybersecurity risk management program is led by our Chief Information Officer (“CIO”), who reports to our CEO and manages our security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our detection and response to cybersecurity incidents. The CIO meets regularly with the CEO and his direct reports to discuss cybersecurity risk and ensure appropriate resources are prioritized to address risks. We continue to secure our own manufacturing and information technology infrastructure; to train our employees throughout each year about malware, viruses, hacking, phishing, and other information security risks, including how to avoid and mitigate them; and to protect our sensitive data from failures, breaches, or cyber incidents. We periodically (more than annually) perform tabletop exercises to test our incident response procedures, identify gaps and improvement opportunities and exercise team preparedness.
The Company’s Chief Information Officer has formal education in information technology and extensive experience over 20 years working in and leading information systems and technology functions. Our Chief Information Officer receives regular updates on cybersecurity matters, results of mitigation efforts, and cybersecurity incident response and remediation.
The Company’s team responsible for developing and executing our cybersecurity policies together with our CIO, including our Director of Cybersecurity and Director of IT Infrastructure and Operations, are individuals with formal education and degrees in information technology or cybersecurity, experience working in information technology and cybersecurity, including relevant industry experience in security related industries, or a combination of both education and experience. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity-related topics. The CIO is responsible for providing quarterly updates to the Board's Audit Committee regarding the effectiveness of the Company's cybersecurity program and any material cybersecurity incidents that may arise.
The Company’s Kimball Electronics Support Center (“KESC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or our information systems and incidents originating from third parties. The KESC monitors, detects, alerts and responds to cybersecurity incidents, evaluating each incident pursuant to our Cybersecurity Incident Response Plan. The KESC escalates incidents with significant impact and pervasiveness to the Company’s Cybersecurity Incident Response Team (“CIRT”) for further action. Depending on the nature of the attack or indicator, our MSSP will collaborate with us in response to incidents to contain, mitigate, respond to, investigate and eliminate threats. Where appropriate, the CIRT will escalate incidents to the Audit Committee and the Board for additional consideration, action, and potential disclosure.
The KESC, our cybersecurity leaders, and/or our CIRT evaluate each incident, as appropriate, in terms of its impact on our operations, our ability to conduct business with customers and suppliers, our brand reputation and health, safety, and the speed and degree to which the incident has been contained. These teams are also responsible for activating containment and resolution efforts and interfacing with third-party service providers like our MSSP where appropriate to support the Company through the resolution of the incident. After initial identification, the KESC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness and communicates with our leaders, including the CIO and CIRT about the same.
21

Risks from Cybersecurity Threats
As part of our overall risk mitigation strategy, we maintain insurance coverage for certain aspects of cybersecurity risks; however, such insurance may not be sufficient either in type or amount to cover us against claims related to cybersecurity breaches, cyberattacks, and other related breaches.
As of the date of this report, we do not believe that any risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information on our cybersecurity related risks, see Item 1A - Risk Factors - “Our business may be harmed due to failure to successfully implement information technology solutions or a lack of reasonable safeguards to maintain data security, including adherence to data privacy laws and physical security measures.