Energy Recovery, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Energy Recovery, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:09:04 EST.

Filings

10-K filed on 2024-02-21

Energy Recovery, Inc. filed an 10-K at 2024-02-21 16:09:04 EST
Accession Number: 0001421517-24-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity Managing Material Risks & Integrated Overall Risk Management We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company- wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our Risk Management Team (see Management s Role Managing Risk below for details regarding the team members and scope) works closely with our Information Technology ( IT ) team to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Engage Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity consultants in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements. Oversee Third-party Risk Because we are aware of the risks associated with third-party service providers, we have implemented stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes an initial assessment by our Director , Information Technology and IT team, and on an ongoing basis of a few key high-risk third-party systems by our security engineers. We also rely upon certain third-party system providers, including cloud and non-cloud programs provided by software developers such as Microsoft Corporation, Blackline Systems, Inc., Workiva, Inc ., and others, to review and notify their customers of any data breach. This approach, both internal and reliance on external review notification, is designed to mitigate risks related to data breaches or other security incidents originating from third- parties. R isks from Cybersecurity Threats While we have a cybersecurity program designed to protect and preserve the integrity of our information systems, we also maintain cybersecurity insurance to manage potential liabilities resulting from specific cyber-attacks. However, it’s important to note that although we maintain cybersecurity insurance, there can be no guarantee that our insurance coverage limits will protect against any future claims or that such insurance proceeds will be paid to us in a timely manner. As of December 31, 2023 , no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations, or financial condition. Table of Contents Energy Recovery, Inc. | 2023 Form 10-K Annual Report | 25 Governance The Board of Directors (the Board ) is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence. Board of Directors Oversight T he Audit Committee of the Board (the Audit Committee ) is central to the Board s oversight of cybersecurity risks and bears the primary responsibility for this domain. T he Audit Committee is composed of independent board members with diverse expertise and experience which allows them to oversee cybersecurity risks effectively. Management s Role Managing Risk We have an internal management team comprising of our Chief Financial Officer ( CFO ), Chief Legal Officer ( CLO ), VP, Corporate Controller, Sr. Director, SEC Reporting, and Director, Information Technology (the Risk Management Team ), that plays a pivotal role in informing the Audit Committee on cybersecurity risks. The Director, Information Technology and IT team monitor cybersecurity risks and perform continual risk exercises and assessments. The Risk Management Team meets quarterly to discuss current security breaches and threats, if any, and discuss new controls and results of the cybersecurity risk monitoring, exercises, and assessments . T he Risk Management Team provides comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats; Status of ongoing cybersecurity initiatives and strategies; Incident reports and learnings from any cybersecurity events; and Compliance with regulatory requirements and industry standards. In addition to our scheduled meetings, the Audit Committee and the Risk Management Team maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, the Board receives updates on any significant developments in the cybersecurity domain, ensuring the Board s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. Risk Management Personnel Our Director, Information Technology (our IT Director ), who has a career of 23 years in IT, has in-depth working knowledge on IT systems and data security, and his experience is instrumental in developing and executing our cybersecurity strategies. Our IT Director along with the IT team, oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee cybersecurity risk training program. However, the primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Risk Management Team. The diverse background and experience of our Risk Management Team members are instrumental in developing and executing our cybersecurity strategies and supplement the expertise of our IT Director with their understanding of the needs of our business. Monitor Cybersecurity Incidents Our IT Director and the IT team are continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. Our IT Director and the IT team implement and oversee processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, our IT Director is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Table of Contents Energy Recovery, Inc. | 2023 Form 10-K Annual Report | 26 Reporting to Board of Directors Our IT Director , in his capacity, regularly informs the other Risk Management Team members of all aspects related to cybersecurity risks and incidents. This ensures that various levels management are kept abreast of the cybersecurity posture and potential risks facing Energy Recovery, Inc. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Audit Committee, ensuring that the Audit Committee has comprehensive oversight and can provide guidance on critical cybersecurity issues.

Company Information