PERMA FIX ENVIRONMENTAL SERVICES INC 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

PERMA FIX ENVIRONMENTAL SERVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 15:09:28 EDT.

Filings

10-K filed on 2024-03-13

PERMA FIX ENVIRONMENTAL SERVICES INC filed an 10-K at 2024-03-13 15:09:28 EDT
Accession Number: 0001493152-24-009805

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company recognizes the importance of identifying, assessing, and managing risks associated with cybersecurity threats. The Company s cybersecurity program utilizes components of the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. Key components of our cybersecurity program include governance, risk management, access and authentication controls, change management, audit and assessment, awareness and training, contingency planning, recovery, media handling, incident response, personnel and physical security, and communication integrity. Our program is embedded into Information Technology ( IT ) and Information System ( IS ) operations across the business with a focus on awareness, transparency, minimizing business impacts, and reducing enterprise risk, including strategic, compliance, legal and financial risk. The Company has policies and procedures in place to ensure compliance with its cybersecurity program and cybersecurity controls. Our program relies on a philosophy of continuous improvement by using periodic self-assessments, 3 rd party assessments, and customer/agency audits to determine cyber control presence, applicability, and effectiveness. Our program is customized with additional controls that address financial systems risk, nuclear quality assurance, Sarbanes Oxley, European Union cyber and data protection requirements, and supply chain risks. Our risk management process addresses confidentiality, availability, and integrity and includes evaluating information systems specific threats, vulnerabilities, likelihood, and potential impact. Impact thresholds, which are reviewed and approved by the Board of Directors (the Board ) and senior management, are used to define incident escalation paths from IT operations to management, the Audit Committee and the Board. This process is used to identify, manage, and communicate material risks to the business. Additional cyber incident reporting requirements are in place to comply with customers and regulatory agency requirements. Automated threat and vulnerability management systems are in place and updated per industry standards and best practices. Our IT team further manages risk by evaluating external providers of threat, vulnerability, and risk mitigation information. This information is used to proactively implement new methods or controls for reducing risk associated with a particular emerging threat or vulnerability. The Company s cybersecurity program is managed by the Vice President ( VP ) of IS, who has been employed by the Company for 20 years and has over 35 years of total experience in information systems. The VP of IS has an extensive career in software development and infrastructure management including working with Fortune 500 companies in his prior positions. The VP of information system is a participant in the overall Company strategic process and has aligned the program to best service the strategic objectives of the business. Cybersecurity Governance The Company s Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats. Our senior management is responsible for the day-to-day management of the material risks we face. Our VP Of Information System is scheduled to report to the CFO on a weekly basis and the Audit Committee on a quarterly basis on cybersecurity matters to include updates on cybersecurity threat management, strategy processes, system updates and cybersecurity risks activities, including but not limited to any recent cybersecurity incidents and related responses. Our Board is also engaged in discussion with senior management and the Audit Committee at least on a quarterly basis on cybersecurity matters to discuss any updates to our cybersecurity risk management and strategy program. Each member of our Board has a working knowledge and/or experience with cybersecurity, IT strategy and IT risk assessment. In the past 2 years, the Company does not believe that it has experienced any material cybersecurity incidents, nor any material costs related to immaterial cyber incidents. Although we have a comprehensive process for the prevention of material cybersecurity incidents as discussed, we cannot provide assurance that our results of operations and financial condition and business strategy will not be materially impacted from cybersecurity risks in the future. For more information on our cybersecurity related risk and potential effects on the Company of a material cybersecurity breach, see under General Risk Factors in Item 1A. Risk Factors 17

Company Information