ENVIRI Corp 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

ENVIRI Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 14:05:04 EST.

Filings

10-K filed on 2024-02-29

ENVIRI Corp filed an 10-K at 2024-02-29 14:05:04 EST
Accession Number: 0000045876-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company relies upon internally and externally managed information technology systems and networks for the collection and storage of sensitive data and business information. Accordingly, the Company places an emphasis on managing cybersecurity risks by means of a comprehensive risk management and governance strategy designed to assess, identify, and manage cybersecurity risks to the Company s business. RISK MANAGEMENT AND STRATEGY The Company s cybersecurity program is designed to detect cybersecurity threats and vulnerabilities, protect the Company s information systems from such threats, and ensure the confidentiality, integrity, and availability of systems and information used, owned or managed by the Company. The Company places special weight on protecting sensitive information, such as personal information of the Company s customers and employees, and confidential business information that could be leveraged by a competitor or a malicious actor. The Company s cybersecurity program comprises several components, including the adoption of information security protocols, standards, and guidelines consistent with industry best practices; engaging third-party service providers to conduct security assessments and penetration testing; and performing periodic internal audits of the Company s cybersecurity protocols. The Company employs a risk-based process designed to manage cybersecurity risk presented by third-party vendors that may have access to the Company’s sensitive information and/or information technology (“IT”) systems. This process may consider the nature of the services provided, the sensitivity and quantity of information processed, the criticality of any potentially impacted IT systems, and/or the strength of the vendor s cybersecurity practices. The Company monitors potential cybersecurity risks through an enterprise risk heatmap that tracks key cybersecurity risks at divisional and enterprise levels. These key risks are characterized by various factors such as the likelihood of the Company experiencing a particular type of cybersecurity incident, the speed at which each type of cybersecurity incident could impact the Company, and management s assessment of the Company s ability to respond quickly and efficiently. An incident response plan ( Incident Response Plan ) aligned with best practices articulated by the National Institute of Standards and Technology ( NIST ) governs the Company s response to cybersecurity incidents. This Incident Response Plan outlines how the Company detects, analyzes, contains, eradicates, recovers, and performs post-incident activities in the event of a cybersecurity incident. It also contains an internal, risk-based escalation framework designed to ensure that all relevant individuals are promptly informed of any cybersecurity incident and dictates procedures for determining whether a cybersecurity incident is material without unreasonable delay. MATERIAL EFFECTS FROM RISKS OF CYBERSECURITY THREATS While the Company experiences minor data and cybersecurity incidents from time to time, to the Company s knowledge, the risks posed by cybersecurity threats (including from such prior incidents) have not materially affected and are not reasonably likely to materially affect the Company s business strategy, results of operations or financial condition. However, there can be no assurance that the Company will not be materially affected by such risks in the future. A successful cybersecurity attack may expose the Company and the Company s employees, customers, dealers, and suppliers to misuse of information or systems, the compromising of confidential information, manipulation or destruction of data, production downtimes, and operations disruptions. For example, the Company frequently operates in potentially dangerous environments with heavy machinery, such as steel mills, where a cybersecurity incident could cause a machinery malfunction that results in disruptions to operations or serious injury to employees. For more information, see risk factor related to the imposed risks from increased information technology security threats and computer crime under Strategic and Operational Risks in Part I. Item 1A. Risk Factors. GOVERNANCE Role of Management The Company s Vice President, Chief Information Security Officer and Corporate IT, Giles Tipler, oversees the Company s IT security department and is responsible for assessing and managing cybersecurity risks and for leading the Company s response to cybersecurity incidents. Mr. Tipler has over 25 years of experience in information security, risk management, compliance, and information technology, with significant experience building cybersecurity programs across multiple countries in the Americas, Europe, the Middle East, Africa, and the Asia-Pacific regions. Mr. Tipler played an instrumental role in the development of the Company s Incident Response Plan and reports to the Company s Chief Financial Officer, Mr. Tom Vadaketh. Mr. Tipler is also responsible for providing quarterly updates to the Company s Audit Committee and Board of Directors regarding enterprise level risks, the effectiveness of the Company s cybersecurity program, and any material cybersecurity incidents that may arise. 19 Role of the Board of Directors The Board has delegated responsibility for overseeing the Company s cybersecurity and information technology processes to the Audit Committee. The Audit Committee is responsible for overseeing the implementation and effectiveness of the Company s processes and risk management protocols regarding cybersecurity and information technology, including risks from cybersecurity incidents and vulnerabilities and third-party service providers, and the steps taken by Mr. Tipler and the IT security department to inform themselves about and monitor the prevention, detection, mitigation, and remediation of such risks. Mr. Tipler reports to the Audit Committee regarding material cybersecurity incidents and any remediation efforts and is also responsible for providing quarterly updates regarding the overall effectiveness of the Company s cybersecurity program.

Company Information