CHART INDUSTRIES INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

CHART INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:07:15 EST.

Filings

10-K filed on 2024-02-28

CHART INDUSTRIES INC filed an 10-K at 2024-02-28 16:07:15 EST
Accession Number: 0000892553-24-000067

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established processes for assessing, identifying, and managing material risks associated with cybersecurity threats, as defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. By prioritizing cybersecurity at the highest level of our leadership, we assess cybersecurity risk, allocate resources and maintain a culture of cybersecurity awareness throughout Chart. Chart ties cybersecurity or being cyber safe to our key theme of safety, as an industrial manufacturer. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through third-party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other programs: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, encourage proactive vulnerability reporting, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We have implemented preparation for incident response, incident response and breach management processes which have four stages: 1) preparation for cybersecurity incidents, 2) detection and analysis of cybersecurity incidents, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our information security, compliance and legal teams. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact. We also simulate responses to cybersecurity incidents by conducting tabletop exercises. Our cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation, and remediation strategies. As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. In past years, our Information Security Management System has continued to work a Plan of Action and Milestones (POAM) tied to the United States Cybersecurity Maturity Model Certification (CMMC) program, formerly the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while looking for synergies across other standards, such as the Information Assurance Technical Framework (IATF), or as required for specific product lines or customers. Furthermore, we benchmark externally against other industrial manufacturers within the B2B (Business to Business) manufacturing industry, and even to a vertical level to determine Chart s risk profile through cybersecurity insurance tools that rank companies and bring them together within forums for cyber intelligence sharing and best practices. Our risk management program also assesses third-party risks to identify and mitigate risks from vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data. In addition, we strive to have the appropriate cybersecurity clauses in our agreements and where necessary we have Data Processing Agreements (DPAs) put in place for privacy of data. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Data privacy and data security considerations could impact our business included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K. Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. The Board receives updates on a regular basis from senior management, including leaders from our information security, compliance and legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity, and data privacy incidents (if any) and status of key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. 21 Our cybersecurity risk management and strategy processes are overseen by leaders from our information security, compliance and legal teams. Such individuals have an average of over 15 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including our incident response plan, and report to the Audit Committee on any appropriate items.

Company Information