ALTA EQUIPMENT GROUP INC. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

ALTA EQUIPMENT GROUP INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:47:46 EDT.

Filings

10-K filed on 2024-03-14

ALTA EQUIPMENT GROUP INC. filed an 10-K at 2024-03-14 16:47:46 EDT
Accession Number: 0000950170-24-031600

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Governance Governance and oversight of cybersecurity risks and strategies form a core component of our risk management framework. Recognizing the critical importance of cybersecurity in protecting our operations and preserving shareholder value, we have established a governance structure that emphasizes proactive risk identification, management, and mitigation across the entirety of our organization. Central to our governance approach is the active involvement of our Audit Committee, which plays a vital role in overseeing the Company’s cybersecurity strategy. Alta’s Audit Committee is a subset of our Board of Directors, which maintains oversight of our strategic direction regarding cybersecurity. Key to the Audit Committee’s effectiveness is its regular engagement with our cybersecurity team, as further described below, a practice that provides direct communication and alignment on cybersecurity matters. During these critical meetings, several pivotal areas are reviewed to assess the adequacy and effectiveness of our cybersecurity measures: Incident Response: Evaluation of our readiness and response strategies to cybersecurity incidents, positioning us to quickly and effectively mitigate any potential impacts. Cybersecurity Industry Updates: Review of recent industry developments (i.e., new threats/tactics, industry news) to comply and adapt our strategies accordingly. Acquisition Security Integration: Discussion on the security aspects of recent or upcoming acquisitions, focusing on the integration of their cybersecurity frameworks into our broader security posture. Key Initiatives: Reflection on the major cybersecurity initiatives undertaken in the past year, assessing their outcomes and lessons learned. Goals: Setting forth our cybersecurity objectives for the coming year, aligning them with our overall business strategy and risk management framework. Employee Security Awareness and Training: Results from our regular testing and training of employees is presented and discussed. Penetration Test Results: Analysis of the findings from our regular penetration testing exercises, which help identify vulnerabilities and strengthen our defenses. Questions and Answers: An open forum for the Audit Committee to seek clarifications and provide guidance on cybersecurity matters, fostering a culture of transparency and continuous improvement. This structured approach to governance and oversight, with a clear emphasis on receiving feedback allows us to align with the entire Alta organization. By prioritizing the identification and management of cybersecurity risks at the highest levels, we aim to 17 safeguard our assets, protect shareholder interests, and maintain the continuity of our business operations in the face of evolving cyber threats. Management Our Senior Director of IT and Director of Security and Compliance have primary responsibility for assessing and managing cybersecurity risks. An internal team of cybersecurity experts execute our cybersecurity program while our VP of Information Services provides executive oversight. Combined, our experts bring multiple decades of cybersecurity experience and have earned cybersecurity-related certifications. Our internal team is bolstered by strategic third-party security partners leveraged to provide 24x7 monitoring and response. Third parties routinely assess our security practices providing tactical assistance or strategic guidance through audits and penetration tests. All members of the team routinely discuss emerging security threats and ways to mitigate risk. Strategy We utilize an in-depth layered approach to security. This allows us to respond and proactively mitigate cybersecurity risks, underscoring our commitment to the confidentiality, integrity, and availability of our data and systems. The Company has processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. Our strategy includes the deployment of advanced security products and rigorous penetration testing to identify and mitigate vulnerabilities by continuous vulnerability scanning and round-the-clock monitoring by both internal and external teams. This proactive stance is further bolstered by backup and recovery protocols, ensuring data resilience, and enhanced by email security measures and endpoint detection and response systems to thwart malicious activities. Additionally, our commitment to security best practices is evident in our implementation of privileged access management, security awareness training for all employees, dark web monitoring, and 24x7 threat monitoring. Our incident response plan is designed to address security incidents promptly and effectively, supported by stringent information security policies and the implementation of a Security Information and Event Manager (SIEM) system for real-time analysis and reporting of security events and incidents. Furthermore, identity management and mobile device management extend our security perimeter, safeguarding against both external and internal threats. As part of our annual security commitment, we undergo annual penetration testing to assess whether our necessary security controls are maintained. The Company faces risks from cybersecurity threats that could potentially have an adverse effect on our business, financial condition, results of operations, cash flows and/or reputation. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have experienced threats to and breaches of our data and systems. For more information about the cybersecurity risks we face, see the risk factor entitled Security breaches and other disruptions in the Company s IT systems, including the Company s ERP system, could limit the Company s capacity to effectively monitor and control our operations, compromise ours or our employees’, customers and suppliers confidential information, or otherwise adversely affect the Company s operating results or business reputation in Item 1A. Risk Factors.

Company Information