SYPRIS SOLUTIONS INC - (SYPR)
10-K Filing Date: April 01, 2024
Cybersecurity
Risk Management and Strategy
We maintain a cybersecurity and information security program, which leverages the National Institute of Standards and Technology (“NIST”) 800-171. Risks from cybersecurity threats are regularly evaluated as part of our broader risk management activities and as a fundamental component of our internal control system. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers.
Key personnel receive cybersecurity training regularly. Our IT team engages third-party vendors to assist with providing timely cybersecurity threat alerts in addition to monitoring cybersecurity threats and our defenses against cyberattacks. This monitoring includes the proactive identification of vulnerabilities in our systems with threat intelligence. The employees within our IT team who specialize in cybersecurity operations are responsible for coordinating and overseeing the activities of these third-party vendors.
Sypris has a managed service provider (MSP) for incident response of cybersecurity threats and cybersecurity incidents and is managed by the Director of IT, who coordinates activities and monitors response performance. The Director of IT prepares briefings to the Board of Directors, and other relevant committees. Our IT team evaluates security alerts received from our MSP, and any alert or threat that the MSP or the IT team identifies as a cybersecurity incident (such as a data security breach) is promptly escalated for further assessment and immediate remediation. Upon confirmation that a cybersecurity incident has occurred, our IT team will coordinate with our MSP and representatives from other internal departments, legal counsel and other service providers as needed. The Director of IT directs the development of a coordinated response strategy, entailing risk containment, notification processes, system restoration, incident documentation and assessment.
The Director of IT will notify the other members of our senior management team and the Chairman of the Finance and Audit Committee of our Board of Directors as needed.
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to affect us, including our business strategy, results of operations or financial condition. We and our third-party service providers have frequently been the target of cybersecurity threats and expect them to continue, and for an additional description of these cybersecurity risks and potential related impacts on us, see “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.
Governance
Board of Directors and Board Committees. In accordance with our Guidelines on Corporate Governance, the Board of Directors, both directly and through its committees, oversees the proper functioning of our risk management process. In particular, the Audit and Finance Committee assists the Board in its oversight of management’s responsibility to assess, manage and mitigate risks associated with the Company’s business and operational activities, including data privacy and cybersecurity concerns. The Board and Committee each meet at regularly scheduled and special meetings throughout the year at which meetings management reports to the Board concerning the results of its risk management activities, as well as external factors that may change the levels of business risk to which we are exposed. Specifically, the Audit and Finance Committee receives regular updates from the Director of IT, as often as necessary but at least once per year, with respect to our cybersecurity threats and responses to any cybersecurity incidents.
Management’s Responsibilities. Management has implemented risk management structures, policies and procedures, and manages our risk exposure on a day-to-day basis. Accordingly, management assesses and responds to cybersecurity threats as part of our ongoing risk assessment and as an internal control over financial reporting. The Director of IT directs our cybersecurity operations and risk responses. The Director of IT meets with the MSP at least once every quarter to review and assess cybersecurity incidents and non-incident threats (and response measures undertaken) to determine if any adjustment to our cybersecurity managed services is required.
|