HUDSON TECHNOLOGIES INC /NY 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

HUDSON TECHNOLOGIES INC /NY reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:00:50 EDT.

Filings

10-K filed on 2024-03-14

HUDSON TECHNOLOGIES INC /NY filed an 10-K at 2024-03-14 17:00:50 EDT
Accession Number: 0001410578-24-000199

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems, and those that we offer to our customers are necessary for the operation of our business. We use these systems, among others, to manage our customer and vendor relationships, for internal communications, for accounting to operate record-keeping functions, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and tenant data ( Information Systems and Data ). We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party service providers, as described further below, to identify, assess, and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry s risk profile, utilizing internal and external audits, and conducting threat and vulnerability assessments. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, vendor risk management program, employee training, and penetration testing. We work with third parties from time to time that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, consulting firms, threat intelligence service providers, and penetration testing firms. To operate our business, we utilize certain third-party service providers to perform a variety of functions. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement. 13 Table of Contents We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Governance Our full Board oversees the Company s enterprise risk management process, including the management of risks arising from cybersecurity threats. The Board receives regular presentations and reports from management who are responsible for managing and assessing cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations. The Board also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Management plays a crucial role in assessing and managing material risks from cybersecurity threats. At the management level, the Company s cybersecurity risk management and strategy is led by its Director of IT, who reports to the CFO. The qualifications of the Director of IT include over 25 years of IT management, cybersecurity, and information governance experience. The Director of IT is regularly informed about the latest developments in cybersecurity, including emerging threats and technologies to adapt security measures accordingly. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. Management s role includes: Risk Assessment : Management conducts annual cybersecurity risk assessments to identify and evaluate potential threats and vulnerabilities. Management considers the likelihood and potential impact of various cybersecurity risks, considering the Company s assets, systems, and operations, to prioritize mitigation efforts. Cybersecurity Policies and Procedures : Management reviews and approves the Company s cybersecurity policies and procedures and communicates these policies and procedures to all employees to ensure adherence to established security protocols. Compliance with Regulations : Management implements and maintains compliance with relevant cybersecurity regulations and standards applicable to the Company. Budgeting and Resource Allocation: Management reviews budgets for cybersecurity initiatives and ensures that adequate resources are allocated to address cybersecurity risks and that investments in cybersecurity align with the Company s risk tolerance and strategic objectives. The Director of IT is promptly informed of potential cybersecurity risks, threats, and vulnerabilities by the Company s IT Helpdesk. Once an incident has been identified, the Director of IT and the IT network security team assess the criticality and impact of the incident on the Company s business operations. The Director of IT then formulates and oversees a response to contain, eradicate and resolve incidents in accordance with the Company s incident response plan. Management is responsible for reporting incidents to the appropriate authorities as necessary and engaging the senior leadership on all material incidents.

Company Information