ENNIS, INC. - (EBF)

10-K Filing Date: May 10, 2024
ITEM 1C. CYBERSECURITY

We believe that cybersecurity is important to maintaining the trust of our customers and employees. We have implemented a cybersecurity risk management program that is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats which could adversely affect the confidentiality of our data and the integrity of our business operations and financial systems. Our cybersecurity program is based on best practices and guidelines of the National Institute of Standards and Technology Cybersecurity Framework. We have company-wide policies and procedures in place that further enhance our ability to identify and manage cybersecurity risk.

Annual risk assessments and penetration testing are performed by independent third party consultants. These tests are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. The results of these tests are presented annually to the Board of Directors ("Board"), Audit Committee, and senior management for review to ensure compliance with cybersecurity standards.

During the fiscal year ended February 29, 2024, we have not identified any risks from cybersecurity threats that have materially affected our business operations or financial conditions.

Governance

Our Board of Directors, Audit Committee and senior management oversee risk management to ensure that the Company's policies and procedures are functioning as intended to protect the Company’s information systems from cybersecurity threats. The Audit Committee performs an annual review and discussion of the Company’s cybersecurity program, which includes planned actions in the event of a threat or recovery situation.

Our IT team is led by the Vice President of Administration and the Director of Information Technology. The latter is responsible for regular assessment and management of cybersecurity risks. The Director of Information Technology has constant access to the Audit Committee to provide regular updates as necessary regarding any new developments.

We view cybersecurity as a shared responsibility of the Audit Committee and the IT team led by the Director of Information Technology, and we incorporate external resources and advisors as needed to conduct evaluations of our security controls through penetration testing, independent audits and consulting on best practices. The results of those tests are presented annually to the Board.