CECO ENVIRONMENTAL CORP 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

CECO ENVIRONMENTAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 10:48:00 EST.

Filings

10-K filed on 2024-03-05

CECO ENVIRONMENTAL CORP filed an 10-K at 2024-03-05 10:48:00 EST
Accession Number: 0000950170-24-025511

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s Board of Directors (the Board ) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management ( ERM ). The Company s cybersecurity policies, standards, and processes are being integrated into the Company s ERM program and based on recognized frameworks and industry standards, including the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of Company and customer systems, information, and products. The Company has engaged third-party cybersecurity service providers and leverages leading technologies and expertise to monitor, maintain, and provide 24/7 managed detection and response capabilities for coordination, escalation and remediation of alerts associated with information technology systems utilized by the Company. Risk Management and Strategy The Company engages in the periodic assessment and testing of the Company s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board, and the Company adjusts its cybersecurity program as necessary based on the information provided by these assessments, audits, and reviews. Governance The Board, in coordination with the Audit Committee, oversees the Company s ERM process, including the management of risks arising from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, and third-party and independent reviews. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Audit Committee discuss the Company s approach to cybersecurity risk management with the Company’s Vice President of Information Technology (the “VP of IT”). The VP of IT reports to the Chief Financial and Strategy Officer and is the head of the Company s cybersecurity team. Through ongoing communications, the VP of IT and the Executive Leadership Team, which includes our Chief Executive Officer, Chief Financial and Strategy Officer, and Chief Administrative and Legal Officer, monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee when appropriate. The VP of IT has served in various roles in information technology and information security for over 25 years, including leading the cybersecurity programs for three public companies. The VP of IT holds undergraduate and graduate degrees in business and has attained multiple cybersecurity certifications including Certified Information Security Manager. Cybersecurity threats, including those as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For more information on our cybersecurity related risks, refer to “Part I, Item 1A. Risk Factors” of this Annual Report on Form 10-K. 21

Company Information