TENNANT CO 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

TENNANT CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 13:49:02 EST.

Filings

10-K filed on 2024-02-22

TENNANT CO filed an 10-K at 2024-02-22 13:49:02 EST
Accession Number: 0000097134-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C Cybersecurity Risk Management and Strategy We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity processes to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our approach to assessing, prioritizing, and effecting cybersecurity processes and projects is based on standards from the National Institute of Standards and Technology (NIST). We have established an enterprise risk management (ERM) program that considers our enterprise strategy, information from internal stakeholders, and information from external sources (e.g., emerging risks and trends, evaluations by third parties, and best practices) to identify, assess, categorize, and monitor risks including cybersecurity risks. The ERM program develops enterprise risk profiles to address individual risk drivers, develop action plans, and monitor against key risk indicators. At least annually, the ERM program is presented to our Board, Audit Committee, and members of management. We have strategically integrated cybersecurity risk management into our broader ERM program to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes. Our strategy includes regular employee training and awareness on cybersecurity risks and related best practices, required password complexity, the use of multi-factor authentication, information security protocols, anti-virus and anti-ransomware software, a patch management program, the execution of table top exercises on a periodic basis, established policies and protocols for cyber incident response planning and reporting, and ongoing internal cybersecurity testing. Our risk management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We test our ability to respond to cybersecurity incidents on a recurring basis. Additionally, we engage third-party service providers to assist with the ongoing monitoring for cybersecurity events and incidents, as well as to complete risk quantification analysis and perform penetration and vulnerability testing. If any gaps are identified, the third-party service providers also assist with incident assessment and response. We conduct thorough up-front security assessments of all third-party providers before engagement, led by our Vice President, Chief Information Office (CIO) and our cybersecurity team, and we maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This approach is designed to mitigate risks related to security incidents originating from third-parties. We have not encountered cybersecurity incidents or identified risks from cybersecurity threats that have materially impaired our operations or financial standing. Governance Within our organization, we have a management team responsible for assessing and managing cybersecurity risks. The team is led by our CIO and consists of the Cyber Security Incident Response Team (CSIRT) and internal audit personnel. The CSIRT is comprised of IT management and experienced cybersecurity personnel. The role of the CSIRT is to promptly handle an incident so that containment, investigation, and recovery can occur quickly. Where third-party services are leveraged, they ensure they are engaged as necessary. The CSIRT Leader oversees and prioritizes actions during an incident’s detection, analysis, and containment. They are also responsible for conveying the special requirements of high severity incidents to the rest of the organization as well as communicating potential impacts to the CIO. Additionally, they are responsible for understanding the SLAs in place with third parties, and the role third parties may play in specific response scenarios. Our CIO has more than 30 years of experience in IT, enterprise security, and cyber risk management and has previously held global IT infrastructure and business solutions roles, including nearly 20 years in such positions in the manufacturing industry. In addition, our CSIRT Leader has 30 years of 12 Table of Contents technology and cybersecurity experience and has previously held data security and global IT infrastructure positions at risk management and asset protection services companies. Effective February 2, 2024, our CIO has retired from employment and continues to serve as our CIO as a contractor through April 2024. During this time, he will continue his existing duties including oversight and management of cybersecurity risks. An active search is underway for a new CIO. The CIO and CSIRT, in combination with the Senior Vice President, Technology and Innovation and CEO, play a pivotal role in informing the Audit Committee of the Board of Directors on cybersecurity risks. The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. The Vice President, CIO provides comprehensive quarterly briefings to the Audit Committee. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats; Status of ongoing cybersecurity initiatives and strategies; Incident reports and learnings from any cybersecurity events; and Compliance with regulatory requirements and industry standards. In addition to our quarterly meetings, the Audit Committee, CIO and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. The CIO and CEO provide updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, as well as tabletop exercises for tactical response readiness. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Tennant Company. The Audit Committee conducts an annual review of the Company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.

Company Information