ESAB Corp 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

ESAB Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 06:07:37 EST.

Filings

10-K filed on 2024-02-29

ESAB Corp filed an 10-K at 2024-02-29 06:07:37 EST
Accession Number: 0001877322-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a cybersecurity program that is reasonably designed to protect our information against cybersecurity threats that may result in material adverse effects on the confidentiality, integrity and availability of our information systems as well as our business operations, financial condition and overall performance. Internal Cybersecurity Team and Governance The Board maintains responsibility for oversight of risks that may affect the Company. Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee reviews the Company s policies with respect to risk assessment and enterprise risk management, including with respect to cybersecurity risks. Certain members of our Audit Committee have experience with respect to cybersecurity risk management and have attended external trainings. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee receives reports and presentations from members of the Company s management team responsible for overseeing the Company s cybersecurity risk program, including the head of our global cybersecurity team. These reports and updates may address a wide range of topics, including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third parties. The Audit Committee periodically reports to the Board on data protection and cybersecurity matters. We also have protocols by which certain cybersecurity incidents are escalated within the Company and, in certain circumstances, reported to the Board and/or Audit Committee in a timely manner. At the management level, the head of the global cybersecurity team is responsible for overseeing and implementing a cybersecurity strategy aligned with the Company s goals and needs. Our head of global cybersecurity has extensive experience with respect to cybersecurity matters as a result of over 10 years of relevant work experience and holds multiple industry certifications. Our cybersecurity function is supported by cybersecurity personnel with substantial industry experience as well as our network of regional IT leaders and our global IT infrastructure team. The head of the global cybersecurity receives ongoing updates from such individuals regarding the prevention, detection, mitigation and remediation of cybersecurity incidents. In conjunction with management, the head of global cybersecurity regularly reviews risk management measures to identify and mitigate data protection and cybersecurity risks. Key performance indicators, emerging threats, current trends and notable detections are reported to members of the Company s senior leadership team. The global cybersecurity team also works closely with our legal team to address legal, regulatory and contractual requirements. Risk Management and Strategy Cybersecurity related risks are integrated into our overall enterprise risk management ( ERM ) process. As a result, risks posed by cybersecurity threats are among the risks that the Company s ERM process evaluates and assesses at least annually. The results of this risk assessment, including cybersecurity, are presented to the Board of Directors annually. The cybersecurity team implements, monitors and maintains controls leveraging the National Institute of Standards and Technology ( NIST ) CyberSecurity Framework. These controls are designed to protect the confidentiality, availability and integrity of information systems. Our cybersecurity processes include automated tools and technical safeguards managed and monitored by our cybersecurity team. We view cybersecurity as a responsibility shared by all of our associates. As an organization committed to continuous improvement, we periodically conduct incident response tabletop exercises with key members of our leadership team, including our Chief Executive Officer, perform internal and external assessments and engage consultants to help assess the design and effectiveness of our program. In addition, we expect all of our associates as well as our third-party vendors to help protect against cybersecurity risks, and we conduct periodic awareness campaigns, emerging threats communications and specific trainings. 29 We have adopted a Global Cybersecurity Incident Response Procedure that applies in the event of a cybersecurity threat or incident. These procedures include an incident response playbook which outlines the steps to be addressed in the event of a cybersecurity incident, from incident detection to mitigation, recovery and notification within the Company and to the Audit Committee and/or Board of Directors, as specified. We also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. We employ systems and processes designed to oversee, identify and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. Despite ongoing efforts to continued improvement of our and our vendors ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, disruption of our business operations, revenue and client loss, legal actions, or statutory penalties, among other consequences. Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate and remediate cybersecurity incidents. While we are not aware of any material cybersecurity threats or incidents that have had or are reasonably likely to materially affect us, including having a long-term impact on our business strategy, results of operations or financial condition, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. For additional information the cybersecurity risks faced by our Company, refer to Item 1A. Risk Factors Risks Related to Our Business Our electronic information systems have been and could in the future be, subject to service interruptions, data corruption, cyber-based attacks and network security breaches. Significant disruptions in, or breaches in security of, our electronic information systems or data can adversely affect our business and financial statements .

Company Information