Orion S.A. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Orion S.A. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 19:25:24 EST.

Filings

10-K filed on 2024-02-14

Orion S.A. filed an 10-K at 2024-02-14 19:25:24 EST
Accession Number: 0001609804-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are fully committed to protecting our assets and ensuring security across our Information Technology ( IT ) and Operational Technology ( OT ) environments. Our approach to cybersecurity involves implementing technology standards, processes and an organizational design according to industry practices to strengthen our defenses against cyberattacks. We utilize security technologies, like firewalls, intrusion detection systems and encryption tools to establish defenses against cyber threats. We are committed to updating and patching our systems to ensure that vulnerabilities are promptly addressed. Our processes are aligned to identify weaknesses and areas for improvement by conducting cybersecurity audits and assessments. In the event of a cybersecurity incident, we have a defined incident response plan in place. The plan provides guidance on how to effectively respond. Our employees also undergo regular training programs on identified cybersecurity threats, and their role in maintaining a secure environment. We continually develop solutions to mitigate the impact of cyber risks from external actors cyber activity, including via portals for potential and current partners with capability to report suspected phishing. Furthermore, we have a risk assessment procedure that identifies and examines cyber risks by taking into account their impact and the likelihood of them being exploited. We evaluate risk as part of our cybersecurity management program to validate capabilities and limitations. Together with our third-party IT service providers, we conduct vulnerability and security assessments, penetration testing and scenario-based evaluations to assess the effectiveness of our security measures against cyber threats. This allows us to make informed decisions regarding the prioritization and mitigation of risks in the IT and OT space. In addition, we also benchmark our measures to marketplace security standards such as the U.S. National Institute of Standards and Technology s ( NIST ) and other cyber security standards. Regular table-top exercises are conducted, and we have a continuous security improvement process in place. These processes also take into account risks that arise from our external partnerships and we understand that collaborating with external parties introduces vulnerabilities, such as supply chain risks, possibility of third-party data breach and reliance on partner security measures. Our approach to managing cybersecurity is designed to ensure oversight and strategic leadership. Leading our cybersecurity risk management efforts is our Chief Information Security Officer ( CISO ). 20 Table of Contents Orion S.A. In the case of cybersecurity incidents, our CISO leads our Cyber Emergency Response Team disclosure process, which is a collaborative process by which our CISO is advised of cyber incidents and communicates and collaborates with relevant departments across the organization to develop and execute an appropriate response. The Board has delegated cybersecurity monitoring responsibility to the Audit Committee. Regular updates on cybersecurity status, material cyber incidents, and cyber risk management from either the Chief Information Officer ( CIO ) or CISO are provided to both the Board and Audit Committee. The Audit Committee regularly discusses identified security risks with senior management and reviews management proposed mitigation measures, key cyber initiatives and programs. The Board also considers cybersecurity topics including risk mitigation on a regular basis. We believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. Our Risk Factors include further details about the material cybersecurity risks we face. See Item 1A., Risk Factors, above. 21 Table of Contents Orion S.A.

Company Information