AMERICOLD REALTY TRUST 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

AMERICOLD REALTY TRUST reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:02:23 EST.

Filings

10-K filed on 2024-02-29

AMERICOLD REALTY TRUST filed an 10-K at 2024-02-29 17:02:23 EST
Accession Number: 0001628280-24-008042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cyber Security Disclosure Risk Management and Strategy The Company maintains a robust enterprise-wide information security program aimed at assessing, identifying, and effectively managing cybersecurity risks, threats, and incidents. The Company has integrated cybersecurity risk management into its broader risk management framework to promote cybersecurity risk management company-wide. Third-Party Engagement The Company engages a range of third-party advisory service providers, including cybersecurity assessors, consultants, and auditors, to conduct recurrent evaluations of its cybersecurity controls. These reviews are a critical component of the ongoing risk assessment process within the cybersecurity function and include periodic evaluations of internal controls aimed at mitigating cybersecurity threats. These assessments often include penetration tests, evaluations of the Company’s cyber program maturity, and assessments of progress toward future-state cyber initiatives, among other considerations. The results of these reviews are reviewed with management and the Company s Board of Directors (the Board ). Oversee Third-party Risk The Company implements processes to oversee and manage the risks inherent with third-party service providers, including conducting thorough security assessments prior to engagement. This is designed to mitigate risks related to data breaches or other security incidents originating from third party providers. Incident Response The Company has implemented internal incident response procedures to address potential cyber incidents. These procedures are designed to analyze, contain, and remediate any cyber incidents that may circumvent existing safeguards. The incident response procedures encompass a systematic approach to evaluate the materiality of incidents, execute appropriate containment and remediation measures, and evaluate internal (including the Board) and external communication and disclosure protocols. The Company also maintains data backup procedures in the event of a cybersecurity incident and for a business continuity plan in the event of business interruption. Examples of our backup procedures include regularly scheduled backups for various systems, critical system log files, and applications backup. Governance & Board Oversight The cybersecurity program is led by the Company s Chief Information Security Officer ( CISO ). The CISO plays a pivotal role in informing the audit committee and the Board on cybersecurity risks. The audit committee is primarily responsible for the Board s cybersecurity risk oversight. Management, including the CISO, provide comprehensive briefings to the audit committee on cybersecurity risks on a regular basis, and the audit committee reports to the Board at least quarterly. These briefings encompass a range of topics, including the current cybersecurity landscape and emerging threats, status of ongoing cybersecurity initiatives and strategies, incident reports, and compliance with regulatory requirements and industry standards. Additionally, the full Board is regularly briefed on updates related Global Information Security Program and the Company s Information Security Roadmap. The Board also oversees the prompt assessment of material cyber events including countermeasures and mitigation actions. 46 In addition to scheduled meetings, the audit committee and CISO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain. Management s Role Managing Risk The CISO possesses more than 10 years of relevant expertise in cybersecurity; and holds a Certified Information Systems Security Professional ( CISSP ) certification. Other members of the Company s information security team also hold certifications such as CISSP, Certified Information Security Manager ( CISM ), Certified Ethical Hacker ( CEH ), and Certified Information Systems Auditor ( CISA ). The Company s Chief Information Officer ( CIO ) and CISO work closely with other management positions, including the Chief Financial Officer, Chief Legal Officer, Head of Internal Audit, and Internal Communications, to evaluate cybersecurity risks in alignment with our business objectives and operational needs. The Americold Global Information Security Program is structured to address cyber-related risks in alignment with the guidelines delineated in the National Institute of Standards and Technology ( NIST ) security framework. The program also leverages various automated tools, manual processes, and routine periodic third-party assessments to ensure the efficacy of our security measures. Furthermore, the program includes a formal information security training program that includes comprehensive security awareness initiatives and training modules, addressing critical areas such as phishing attacks and best practices for email security. Impact of Cybersecurity Threats As previously disclosed, we have experienced significant cyber incidents in the past, including in April 2023, that have impacted our operations and financial results. The related expense is reflected in Acquisition, cyber incident, and other, net on the Consolidated Statement of Operations for the year ended December 31, 2023, and the reserve balance is included in Accounts payable and accrued expenses in our Consolidated Balance Sheets as of December 31, 2023. For additional information regarding such risks and the affects thereof on our business strategy, operations and financial condition, see Part I, Item 1A, Risk Factors A failure of our information technology systems, cybersecurity attacks or a breach of our information security systems, networks or processes could cause business disruptions and the loss of confidential information and may materially adversely affect our business. 47

Company Information