Metallus Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Metallus Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:12:10 EST.

Filings

10-K filed on 2024-02-28

Metallus Inc. filed an 10-K at 2024-02-28 16:12:10 EST
Accession Number: 0000950170-24-022078

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber Security Our cybersecurity program is led by a team of skilled cybersecurity professionals, including dedicated internal cybersecurity resources and external advisors. In the normal course of business, we may collect and store sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party information and employee information. We maintain a robust cybersecurity incident response plan, which details the incident response procedures, tactical and strategic team membership, and points of contact related to the response processes. The Company also 18 Table of Contents maintains a detailed decision-tree-based playbook which is a supplement to the plan and focuses on specific types of incidents and the appropriate response steps. Cybersecurity is an important part of our Enterprise Risk Management ( ERM ) program, and the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach. The Company s cybersecurity policies, standards, processes, and practices for assessing, identifying and managing material risks from cybersecurity threats and responding to cybersecurity incidents are fully integrated into the Company s ERM program. The plan and playbook are structured to align with the National Institute of Standards and Technology ( NIST ) Cybersecurity framework practices. The plan and playbook are reviewed at least annually. In addition, we maintain insurance that includes cybersecurity coverage. The Company adheres to a periodic, third-party facilitated testing exercise of the cybersecurity incident response plan and playbook with the Company’s tactical and strategic team members. The teams are comprised of key members of the organization and external advisors who hold critical importance in the handling of cybersecurity events. The exercise covers response procedures for prevalent cybersecurity incidents including but not limited to phishing, third-party breaches, and a standard incident response process. The documentation helps leaders make appropriate, pre-planned decisions. To assist, appendices detailing generalized incident response checklists and workflows from the Cybersecurity & Infrastructure Security Agency (“CISA”) and the NIST are referenced and used as a framework. Lastly, the response plans contain instructions on collecting and incorporating lessons learned after a successful identification and remediation of a security event. The information security team also works in partnership with the Company’s internal audit team to review information technology-related internal controls with our external auditor as part of our overall internal controls process. In light of the pervasive and increasing threat from cyberattacks, the Board of Directors, with input from management, assesses the measures implemented by us to mitigate and prevent cyberattacks. The Company s Information Technology ( IT ) leadership team consults with and provides regular updates to the Board of Directors, as well as our chief executive officer and other members of our senior management team, as appropriate, on technology and cybersecurity matters, the status of projects to strengthen our information security systems, assessments of the information security program, timely reports regarding any cybersecurity incident that meets established reporting thresholds, and emerging threat landscape. In addition, the Company has an IT governance committee, which is comprised of the chief executive officer, IT and other officers of the Company. The IT governance committee meets quarterly, and as necessary, to discuss the cybersecurity program and other relevant topics. The IT team also consults regularly with the Board of Director s cybersecurity expert in between meetings. Our program is evaluated by internal and external experts with the results of those reviews reported to senior management and the Board of Directors, at least semi-annually. The Board of Directors has oversight responsibility for our data security practices and we believe the Board of Directors has the requisite skills and awareness into the design and operation of our data security practices to fulfill this responsibility effectively. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. See Risk Factors General Risk Factors for additional information about the risks to our business associated with a breach or compromise to our information security systems.

Company Information