COLUMBUS MCKINNON CORP - (CMCO)

10-K Filing Date: May 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

In connection with our enterprise risk management process, we identify, prioritize, monitor and seek to ameliorate key risks that may affect the Company, including risks from or relating to cyber threats. We have enterprise-wide security policies, standards and controls that seek to incorporate best practices in security engineering, technology architecture and data protection.Our policies and controls include security measures designed to protect our systems against unauthorized access. We also maintain cybersecurity protection measures with respect to our information technology systems, including with respect to the protection of our customer data, vendor data and employee information. We have also implemented specialized training and education programs to seek to guard against cybersecurity events, such as enterprise-wide communications, presentations, phishing simulations and focused training for specific roles, as well as a general cybersecurity training program required for all employees. We also engage third parties to perform regular reviews of our security framework controls to promote objectivity. Our processes to identify, assess and manage material risks relating to cyber threats include risks associated with third party service providers, including cloud-based platforms. We believe that these policies and controls provide us with an appropriate comprehensive assessment of potential cyber threats.

To date, risks from cybersecurity threats have not materially affected the Company, and we do not believe these threats are reasonably likely to materially affect the Company, including its business strategy, financial condition or results of operations. However, the risks from cybersecurity threats and incidents continues to increase, and the preventative actions we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect our systems against all such threats and incidents. Refer to Item 1A – Risk Factors under the heading “Our business operations may be adversely affected by information technology systems interruptions or intrusion" for additional information.

Governance

Our cybersecurity program is overseen by a cross-functional committee of senior business leaders and is led by our Senior Vice President of Information Services and Chief Digital Officer (CDO). This management committee meets regularly and is charged with overseeing our cybersecurity strategy, seeking to ensure that cyber risks relating to the Company and its operations are managed, and that the program is aligned with the Company's business goals and objectives. The CDO has a formal education in information technology as well as extensive experience working in the Company’s information and technology function; and receives periodic training and education on cybersecurity-related topics.


20

 


The Board of Directors has delegated to the Audit Committee to assist the Board of Directors in fulfilling its oversight responsibilities on cybersecurity matters. The Audit Committee oversees a number of the Company’s risk management practices, including those relating to cybersecurity risks. Our CDO provides updates on cybersecurity risks, threats, key developments in Company policies and practices, and related risk exposures to the Audit Committee regularly. A member of the Audit Committee will then brief the full Board of Directors on items discussed within the Audit Committee, including cybersecurity risks and related matters. Additionally, management provides an update to the full Board of Directors on cybersecurity matters at least once a year, and more often as needed. The Board of Directors annually reviews and approves the capital and operating budgets, ultimately reviewing and approving the amount spent by the Company on cybersecurity measures.



21