LUXFER HOLDINGS PLC 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

LUXFER HOLDINGS PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:46:13 EST.

Filings

10-K filed on 2024-02-27

LUXFER HOLDINGS PLC filed an 10-K at 2024-02-27 16:46:13 EST
Accession Number: 0001096056-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview As customer preferences and business-efficiency demands lead to a more connected and digitized world, cybersecurity and privacy risks have become critical business issues. Luxfer understands the systemic nature of cybersecurity threats to the safety and security of our Company, customers, and employees. As such, Luxfer is committed to safeguarding and protecting our information technology ( IT ) network, equipment, and systems against cybersecurity threats to ensure our future security and reduce risk. Accordingly, we will continue to review and update our existing governance, policies, and practices to address the following objectives: Ensure business continuity by protecting Luxfer s technology, data, intellectual property, and information assets; Increase cyber-resiliency and enhance controls for detecting and mitigating cybersecurity incidents; Safeguard the availability and reliability of Luxfer s network infrastructure, systems, and services; Ensure compliance with all applicable regulations and Luxfer policies, controls, standards and guidelines; and, Comply with requirements for confidentiality and privacy for Luxfer s customers and employees. As of the date of the filing of this Form 10-K, we are not aware of attempts by third parties to gain access to our systems and networks and do not believe that any such attempts have had a material effect, or are reasonably likely to have a material effect, on our business, operations, or financial condition. Governance The Board’s Role - As a part of its regular risk oversight, Luxfer s Board of Directors is responsible for overseeing cybersecurity, information security, and technology risk. The Board is comprised of independent Non-Executive Directors, and one Executive Director. Luxfer s Senior Leadership team provides regular reports on information security matters at least quarterly to the Board, as it is their responsibility to oversee Management s actions to identify, access, mitigate and remediate material risk. Management’s Role - Luxfer s cybersecurity program is managed by our IT Steering Committee. Comprised of IT Managers from across the company and chaired by a member of Luxfer’s executive leadership team, the IT Steering Committee maintains the vision, strategy, and operation of Luxfer s cybersecurity program. IT Managers, who have operational responsibility for the actions of the Committee, ensure the effective implementation of the Company IT policies and also manage the local IT teams to ensure they are appropriately supported. Local IT teams have the day-to-day responsibility for implementing and monitoring the operation of Company IT policies within their respective business units. IT personnel within the Company are qualified within their respective roles and are provided with the resource to carry out their responsibilities effectively. 25 Cybersecurity risk management - We devote significant resources to network security, data encryption, employee training, monitoring of networks and systems, patching, maintenance and backup of systems and data. We also follow best practices for IT and data security as our IT controls are aligned with DFARS / NIST 800-171 IT Security Standard for US Government Contractors. Although there have been no cybersecurity incidents have been material to the Company to date, cyber-attacks are continually becoming more sophisticated, and our IT network is still potentially vulnerable to threats and incidents in the future. To assure long-term success, Luxfer is committed to discovering and preparing for all potential cybersecurity threats. We set out below certain mitigating actions that we believe help us manage our principal cybersecurity risks. Risk Risk Description Management of Risk Network and Systems Luxfer s operations are increasingly dependent on IT systems and management of information, and a cyber-attack could inhibit our business operations including disruption to sales, production and cash flows. Luxfer has a wide breadth of controls in place to protect against cyber-attacks including firewalls, threat monitoring systems, protected cloud architecture, and more frequent security patching. We have phased out vulnerable operating systems and updated legacy servers with advanced security. Applications that run and manage our core operating data are fully backed up. Employee Error or Misuse As cyber-attacks and phishing scams are becoming more advanced, employees may fail to recognize the signs of a cyber-attack or rely solely on the Company s IT defenses. We have global policies covering IT security standards, annual training modules for employees. We also train our employees on cybersecurity through phishing simulations. Third-Party Cybersecurity Measures In part, we depend on the reliability of certain tested third parties cybersecurity measures, including firewalls, virus solutions and backup solutions. Our business may be affected if these third-party resources are compromised. Our IT Steering Committee performs thorough due diligence and risk analyses on third party vendors, verifying that sufficient security testing is performed on all software before installation on Luxfer s network. The IT Steering Committee also monitors and reviews access and permissions to all software and programs regularly. Regulations We are required to comply with the UK General Data Protection Regulation (GDPR) relating to the security of personally identifiable information that we process. A data breach can result in non-compliance with the GDPR, leading to fines or litigation. We make every effort to comply with the GDPR and implement best practices including annual review of our Data Protection Policy. We also train employees to maintain secure systems, and access control measures, and regularly monitor and test our networks to protect data, payment information, and personally identifiable information. Training and compliance - Our employees are a key line of defense against cybersecurity threats and malicious actors. In addition to our IT Policies, Luxfer has a comprehensive cybersecurity training and awareness program to educate employees on how to recognize cybersecurity threats, prevent cyber-related incidents, and how to report a potential threat or breach. Our online compliance training program is mandatory for all employees worldwide, and includes cybersecurity awareness and IT security trainings, along with other compliance and governance related topics. Within each training module, employees are required to review a Company IT policy applicable to the topic of the training, and attest that they have read, understood, and agree to comply with the Policy. Luxfer s IT Steering Committee continues to carry out internal phishing simulations to engage employees with cybersecurity, raise awareness, and educate employees on how to recognize and report phishing attacks. Through the simulations, we are able to test our employees reaction to phishing emails and collect important metrics such as click rate. Data collection allows us to pinpoint trouble spots and target additional trainings to specific teams or locations. This information is also reported once quarterly to Luxfer s Senior Leadership Team and is an important supplement to our overall IT security training program. Security audits and assessments - We perform periodic security audits and assessments to test our cybersecurity program. These efforts span across our cybersecurity program, including but not limited to audits, assessments, and penetration tests. We regularly engage third parties to assess our cybersecurity program, including cybersecurity maturity assessments, penetration testing, and independent review of our security control environment and operating effectiveness. 26

Company Information