Annual report [Section 13 and 15(d), not S-K Item 405]

Cybersecurity Risk Management and Strategy Disclosure

v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Mar. 31, 2026
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity risk management is an integral component of Capstone's overall enterprise risk management framework. We use, store, and process sensitive data relating to our customers, employees, partners, and suppliers across our business operations, and we recognize that the protection of this data, and the systems through which it flows, is essential to maintaining the trust of our stakeholders and the continuity of our business.

Following the NIST Cybersecurity Framework, we have implemented a cybersecurity risk management program designed to identify, assess, prioritize, and mitigate risks from cybersecurity threats to our data, systems, and operations. Key elements of our program include:

Threat Identification and Continuous Monitoring. Our third-party IT service providers provide 24/7 security monitoring of our systems and networks, enabling real-time detection and response to potential threats. We supplement this with internal monitoring and periodic assessments designed to identify emerging risks and vulnerabilities before they can be exploited.
Third-Party Risk Management. We apply comprehensive due diligence in evaluating and onboarding third-party service providers with access to our systems or data, including assessment of their cybersecurity controls, compliance posture, and incident response capabilities. We maintain ongoing monitoring of key third-party relationships and require adherence to applicable security standards as a condition of engagement.
Employee Training and Awareness. We provide regular cybersecurity awareness training to all employees, incident response personnel, and senior management, covering best practices for data privacy and security, phishing recognition, and safe handling of sensitive information. This training is updated periodically to reflect the evolving threat landscape.
Incident Response Planning. We have implemented a formal cyber incident response plan that establishes clear protocols for the identification, escalation, assessment, and remediation of cybersecurity incidents. The plan defines reporting obligations to senior management, the Audit Committee, and the Board, with the goal of ensuring timely assessment of material incidents and compliance with applicable disclosure requirements. Our incident response plan is reviewed and tested annually through a cybersecurity tabletop exercise to validate its effectiveness and identify areas for improvement.
Integration with Enterprise Risk Management. Cybersecurity threats are evaluated alongside other material business risks as part of our broader enterprise risk management process, ensuring that cybersecurity considerations are embedded in strategic and operational decision-making at all levels of the organization.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Following the NIST Cybersecurity Framework, we have implemented a cybersecurity risk management program designed to identify, assess, prioritize, and mitigate risks from cybersecurity threats to our data, systems, and operations.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board is responsible for overseeing the assessment and management of major risks facing the Company, including cybersecurity risks. The Board has delegated primary oversight responsibility for information security matters to the Audit Committee, which receives periodic updates from management on the state of the Company's cybersecurity program, current and emerging threats, and the effectiveness of risk mitigation strategies and controls.

At the management level, our Chief Financial Officer ("CFO") has overall responsibility for cybersecurity risk management oversight, including the adequacy of risk mitigation strategies, systems, processes, and controls. The CFO receives regular updates from our internal IT team and third-party service providers on cybersecurity and information security matters, and communicates with the Audit Committee and the Board on a periodic basis, and promptly in the event of a significant incident, regarding the state of our cybersecurity posture and any material developments.

Day-to-day cybersecurity operations are managed by our Director of IT, who leads an internal team of security professionals and coordinates with our third-party IT service providers. Our IT team includes a Certified Information Systems Security Professional ("CISSP") and other professionals with extensive experience across a range of cybersecurity and technology disciplines. This combination of internal expertise and external 24/7 monitoring support is designed to provide comprehensive coverage of our cybersecurity risk environment.

The Audit Committee reviews cybersecurity risk as part of its broader risk oversight responsibilities and maintains direct lines of communication with both the CFO and the Director of IT to ensure that material developments are escalated appropriately and that the Board maintains informed oversight of this critical risk area.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Role of Management [Text Block]

At the management level, our Chief Financial Officer ("CFO") has overall responsibility for cybersecurity risk management oversight, including the adequacy of risk mitigation strategies, systems, processes, and controls. The CFO receives regular updates from our internal IT team and third-party service providers on cybersecurity and information security matters, and communicates with the Audit Committee and the Board on a periodic basis, and promptly in the event of a significant incident, regarding the state of our cybersecurity posture and any material developments.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Chief Financial Officer
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our IT team includes a Certified Information Systems Security Professional ("CISSP") and other professionals with extensive experience across a range of cybersecurity and technology disciplines.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Audit Committee reviews cybersecurity risk as part of its broader risk oversight responsibilities and maintains direct lines of communication with both the CFO and the Director of IT to ensure that material developments are escalated appropriately and that the Board maintains informed oversight of this critical risk area.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true