Atmus Filtration Technologies Inc. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Atmus Filtration Technologies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 08:01:48 EST.

Filings

10-K filed on 2024-02-14

Atmus Filtration Technologies Inc. filed an 10-K at 2024-02-14 08:01:48 EST
Accession Number: 0001921963-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our management and board of directors (the Board ) recognize the importance of maintaining the capacity, reliability and security of our information technology environment and data security infrastructure to deliver on the expectations, and maintain the trust and confidence, of our customers, clients, business partners, employees and investors. The Board is actively involved in our risk management practices, including oversight of our overall enterprise risk management ( ERM ) framework, in which cybersecurity risk management is reviewed by the board at least on an annual basis. Our cybersecurity and privacy programs align with the recognized frameworks established by the National Institute of Standards and Technology and leverage the International Organization for Standardization and other applicable industry standards. The focus of our cybersecurity program is preserving the confidentiality, security and availability of our systems and data, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Management and Strategy We have established and implemented processes to assess, identify and manage material cybersecurity risks. Cybersecurity risks are assessed, identified and managed by our Director of Global Cybersecurity, with direct supervision by our Chief Information Officer ( CIO ) and with the assistance of our internal audit and legal teams. Our Director of Global Cybersecurity shares information regarding such risks with our management s senior level information security council (the Information Security Council ), which consists of our CIO, Chief Financial Officer, Chief Technical Officer, Chief Legal Officer & Corporate Secretary, Vice President of Strategy and Director of Internal Audit & Enterprise Risk Management, and which supports the Audit Committee s oversight of cybersecurity risk, including by providing regular reports on various cybersecurity matters. We have in place robust physical, technical, administrative, and organizational controls for the securing of our information systems. We maintain a comprehensive, risk-based, third-party risk management process to identify, assess and manage cybersecurity risks associated with third-party service providers. Third-party service providers undergo thorough pre-engagement due diligence, including security and privacy assessments. All service providers are required to enter into contracts containing security and data processing terms no less stringent than those employed by us in safeguarding our own data. Any third-party service providers with access to confidential or sensitive data are subject to ongoing oversight activities, including assessments and audits, throughout the lifetime of the engagement. Additionally, we maintain a comprehensive incident response plan (the Incident Response Plan ), which establishes a comprehensive, effective and repeatable process for identifying, escalating and responding to cybersecurity incidents. We test and evaluate the Incident Response Plan, including contingency and recovery plans, on a regular basis, and we develop, implement and review contingency and recovery plans for information systems, both internal and vendor managed. The results of such assessments drive changes and enhancements to governance, policies, procedures, technologies and partner decisions to continuously monitor and improve our cybersecurity risk management. The Information Security Council practiced the procedures of the Incident Response Plan through a tabletop exercise facilitated by external consultants in October 2023, and a similar exercise is planned for the Board during 2024. We also leverage third-party support, including vendors, consultants and assessors, to analyze risk exposure, to identify remediation opportunities and to reduce our overall cybersecurity risk. Previous cybersecurity incidents have not materially affected us, including our business strategy, financial condition, results of operations or cash flows. However, risks from cybersecurity threats, including but not limited to security breaches, computer malware, ransom attacks, other cyber-attacks, or other similar threats may materially affect us, including our business, financial condition, results of operations or cash flows. Governance The Board oversees the Company s overall ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee is responsible for overseeing our risk exposure to information security, cybersecurity and data protection, as well as the steps management has taken to monitor and control such exposures, and regularly provides reports to the Board on cybersecurity risk management. The Audit Committee Charter was amended in October 2023 to explicitly set forth the Audit Committee s responsibility for 42 Table of Contents such oversight. The Audit Committee receives regular presentations and reports from our Director of Global Cybersecurity and our CIO on cybersecurity risks and prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds. Our Information Security Council also report to the Board at least annually on data protection and current internal and external developments in cybersecurity, as part of the Board s enterprise risk management review, and the Board receives reports of Audit Committee discussions regarding its oversight of cybersecurity risk. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to the Audit Committee or the Board in a timely manner. Our Global Cybersecurity Operations function is a global team led by our Director of Global Cybersecurity, who reports to our CIO. In turn, our CIO reports to our Chief Executive Officer. The Information Security Council provides additional oversight for assessing and managing cybersecurity risk. Our Director of Global Cybersecurity has over 15 years of cybersecurity and information technology experience, including as Director of Cybersecurity for various institutions. Our Director of Global Cybersecurity has a Bachelor of Science in Information Science and Technology and a master s degree in information sciences, cybersecurity and information assurance, and he has a Certified Information Systems Security Professional certification, a GIAC Information Security Professional certification and a CompTIA Network+ ce certification. Our CIO has over 25 years of cybersecurity and information technology experience, including serving in the information technology function at Cummins Inc., where she served as the information technology leader in Cummins Filtration Inc., and as a programmer, analyst and information technology architect. Our CIO holds an undergraduate degree in business administration with emphasis in management information systems. Our Chief Financial Officer, Chief Technical Officer, Chief Legal Officer, VP of Vice President of Strategy and Director of Internal Audit & Enterprise Risk Management each have relevant educational and industry experience, including managing risks at our Company and at similar companies, including risks arising from cybersecurity threats.

Company Information