METHODE ELECTRONICS INC - (MEI)

10-K Filing Date: July 11, 2024
Item 1C. Cybersecurity

Risk management and strategy

We depend on information systems and technology in substantially all aspects of our business, including running our manufacturing operations and communicating among our employees, suppliers and customers. Such uses of information systems and technology give rise to cybersecurity risks, including risk of system disruption, security breach, ransomware, theft, espionage and inadvertent release of information. We have a risk-based cybersecurity program, dedicated to protecting our data and information technology systems. These cybersecurity threats and related risks make it imperative that we remain vigilant and apprised of developments in the information security field, and we expend considerable resources on cybersecurity. With Board of Directors and Audit Committee oversight, as part of our annual enterprise-wide risk management process, we assess and manage the material risks associated with cybersecurity.

We work with industry-leading third parties that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, legal advisors, threat intelligence service providers, and penetration testing firms. We conduct periodic internal and third-party assessments to evaluate our cybersecurity posture and test and assess our incident response plan, incident roles and responsibilities, material impact evaluation, and decision-making processes in the event of a cybersecurity incident. We use our risk and security assessments to enhance our information security capabilities.

We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or third-party partner could materially adversely impact us. To address this, our vendor management process involves different levels of assessment depending on the services provided by the vendor, the sensitivity of the related information systems and data, and the identity of the provider. It is designed to help identify cybersecurity risks associated with a vendor and work with the vendor to address or mitigate those risks.

While we have experienced threats to our data and systems, to date, we have not experienced a cybersecurity incident that has materially affected our business strategy, results of operations, or financial condition. That said, a significant cybersecurity incident may materially impact our business strategy, results of operations and financial condition in the future. For further information regarding cybersecurity risks, see Item 1A, “Risk Factors” in this Annual Report.

15

 


 

Governance

Our Board of Directors, as a whole, has oversight responsibility for our strategic and operational risks, including cybersecurity. The Audit Committee of the Board of Directors is responsible for regularly reviewing with management our cybersecurity practices and policies. The Audit Committee regularly reports risks and compliance actions to the Board. As part of its oversight role, the Audit Committee receives regular reporting about our strategy, programs, incidents and threats, and other developments and action items related to cybersecurity regularly throughout the year, including through quarterly updates from the Chief Information Officer (“CIO”) who is also our Chief Information Security Officer. In addition, on at least an annual basis, the full Board of Directors receives reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from our CIO.

Our cybersecurity program and related initiatives are managed by the CIO, and our IT team is responsible for enterprise-wide informational technology, coordinating with various functions and business groups to ensure they are following best practices.

Our CIO, who has more than 25 years of experience in technology and information security risk management across a number of organizations, is responsible for overseeing the risks related to cybersecurity. He is responsible for cybersecurity incident preparedness, approving cybersecurity processes, reviewing security assessments and other security-related reports, and providing the senior leadership with regular updates on cybersecurity-related matters.

Our security operation center monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.

In the event of a suspected incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying the CIO and functional areas (e.g. legal) as appropriate. The CIO will make any required communications to the Chief Executive Officer (CEO) and other senior leadership, with the CIO making any required communications to the Board and Audit Committee. Our CEO, Chief Financial Officer, General Counsel and CIO are responsible for assessing such incidents for materiality, ensuring that any required notification, disclosure or communication occurs and determining, among other things, whether any prohibition on the trading of our common stock by insiders should be imposed prior to the disclosure of information about a material cybersecurity event.