GRAFTECH INTERNATIONAL LTD 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

GRAFTECH INTERNATIONAL LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 17:30:38 EST.

Filings

10-K filed on 2024-02-14

GRAFTECH INTERNATIONAL LTD filed an 10-K at 2024-02-14 17:30:38 EST
Accession Number: 0000931148-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have an overarching cybersecurity program for assessing, identifying, and managing material risks from cybersecurity threats that includes documented policies and procedures and incorporates a layered cybersecurity defense. We utilize a variety of technologies that target detection of malicious attempts to infiltrate our information systems. We also maintain an endpoint threat detection and response tool which uses artificial intelligence to alert our managed security service provider. On a regular basis, we hire a third-party cybersecurity service provider that performs a penetration test on our information systems. The Company seeks to address vulnerabilities that are found. We also utilize a third-party cybersecurity training company to educate our employees about cybersecurity threats. On a regular basis, we send out test phishing emails with a follow up email explaining to end users the red flags in these emails. Where appropriate, we utilize dual-factor authentication on our information systems. On an annual basis we receive system and organization control reports from many of our key external IT vendors as these will reveal any sort of potential security issues these companies have had in the past year. We have experienced cybersecurity threats to our information technology infrastructure and have experienced non-material cybersecurity attacks, attempts to breach our systems, fraudulent activity and other similar incidents. As of the filing of this Annual Report, we are not aware of any such incidents that have occurred that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, results of operations, or financial condition. However, future security and/or privacy breaches, acts of vandalism or terror, computer viruses, misplaced or lost data, programming, and/or human error or other similar events with respect to our information technology systems or processes or the information technology systems or processes of third-parties that have been entrusted with our information expose us to a risk of loss or misuse of this information, litigation and potential liability, which could have a material adverse effect on our business, financial condition, results of operations or cash flows. Risks related to cybersecurity events are detailed in the section of this Annual Report titled Risk Factors Risks related to our business and industry We may be subject to information technology systems failures, cybersecurity attacks, network disruptions and breaches of data security, which could compromise our information and expose us to liability. Governance The Board oversees risks from cybersecurity threats through the same framework it uses to oversee the management of our risk exposure in general. Cybersecurity risks, including operations disruptions, outdated enterprise software and damage reputation, have been specifically incorporated into our enterprise risk management processes. These risks are scored based on impact, likelihood and established controls. Action plans are then established for each of the risks and are incorporated into objectives. Risks are then tracked and integrated into reporting and disclosure processes. Risks are reviewed at least bi-annually by a committee made up of representatives from finance, internal audit, treasury, operations, legal and others. Management at least annually provides to the Board updated information concerning cybersecurity threats as well as management s efforts to mitigate such threats. The Board then is responsible for overseeing that management responds appropriately. The Audit Committee, which is made up solely of independent directors, is responsible for overseeing Company policies and practices with respect to cybersecurity issues. Our Vice President, Information Technology leads our information security program and team, which is comprised of several members devoted to infrastructure and information systems security and management. Our Vice President, Information Technology has over 20 years of industry experience, including over 15 years at our Company, serving in roles throughout his career such as engineer, infrastructure manager, Director of Information Technology Infrastructure, and Global Director of IT. 21

Company Information