TRIMAS CORP 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

TRIMAS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 15:06:10 EST.

Filings

10-K filed on 2024-02-29

TRIMAS CORP filed an 10-K at 2024-02-29 15:06:10 EST
Accession Number: 0000842633-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We depend on integrated information systems to conduct our business. Accordingly, we have processes in place designed to protect our information systems and to assess, identify and manage material risks from cybersecurity threats. As part of our Cyber Security Continuous Improvement Strategy, we continuously assess and improve our information systems to keep pace with the evolving threat landscape. We maintain a cybersecurity program that incorporates security measures from frameworks like the National Institute of Standards and Technology and the Center for Internet Security (“NIST”). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Alongside the Company’s preventative measures that employ traditional and artificial intelligence technologies, we actively monitor and audit our information technology and data assets to detect any anomalies and to respond quickly to potential threats that may arise. In addition to applying security controls to prevent unauthorized access to sensitive information and protecting the Company’s information systems and networks from exploitation by outsiders, we also deploy cybersecurity training courses to all employees annually, maintain an incident response plan, establish cybersecurity contingency plans and conduct phishing testing on a quarterly basis. The oversight of the Company’s cybersecurity risk management process is integrated into our annual Enterprise Risk Management (“ERM”) process. Our ERM process is designed to enable leaders to identify and assess leading risks facing the Company, including risks related to cybersecurity, and work collaboratively to implement plans to mitigate these risks. We also utilize third-party experts to evaluate the Company s security program and test operational effectiveness of our security controls. In addition, we have processes designed to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. For example, our Terms and Conditions within our agreements with suppliers, vendors, contractors, consultants, partners and others with whom we do business (collectively “Suppliers”) generally require that our Suppliers safeguard and protect the information entrusted to them, as well as information generated or developed by them, from unauthorized access, destruction, use, modification or disclosure. We also encourage the our Suppliers to maintain risked-based cybersecurity programs designed to mitigate emerging threats to their information systems, products, services and supply chain, while complying with all applicable contractual and legal requirements. However, we may have little or no oversight with respect to security measures employed by third-party service providers, which may ultimately prove to be ineffective at countering cybersecurity threats. We have experienced cyber-attacks in the past and, while none of these cyber-attacks resulted in a material disruption to our business, we may experience additional cyber-attacks in the future. As of the filing of this Form 10-K, we are not aware of any such attacks that have occurred since the beginning of 2023 that have materially affected, or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, refer to “Risks Relating to Our Business A major failure of our information systems could harm our business; increased IT security threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks and products. " in " Item 1A. Risk Factors within this Form 10-K. Governance The Board of Directors of the Company (the “Board”) is presented with a cybersecurity update quarterly and is integrated within our TriMas Incident Response Plan. The Board reviews the Company’s ERM process, including the design of the program, the key risks identified and the actions identified to manage and reduce those risks. Consistent with this undertaking, the Board regularly reviews the Company’s cybersecurity strategy and activities in support of the strategy. As part of its compliance oversight responsibilities, the Audit Committee of the Board (the “Audit Committee”) is responsible for the review of compliance with laws, regulations and internal policies and procedures of our information and cybersecurity programs. The Board and the Audit Committee receive updates from management quarterly on information and cybersecurity status and enhancements. Additionally, prompt notification of the Board is integrated into the Incident Response Plan. 25 Table of Contents Our Chief Information Officer (“CIO”) is responsible for assessing and managing material risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity incidents. Our CIO has 20-plus years of experience in the cybersecurity industry. Our CIO is informed of such incidents through the Infrastructure and Security Team. Our CIO reports directly to the Company’s Chief Financial Officer and reports information on these risks and incidents to the Board and the Audit Committee. Additionally, our CIO meets monthly with TriMas Senior Leadership in the Security Incident Management and Mitigation meetings. 26 Table of Contents

Company Information