FreightCar America, Inc. 10-K Cybersecurity GRC - 2024-03-18

Page last updated on April 11, 2024

FreightCar America, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-18 16:29:03 EDT.

Filings

10-K filed on 2024-03-18

FreightCar America, Inc. filed an 10-K at 2024-03-18 16:29:03 EDT
Accession Number: 0000950170-24-032849

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Overview We are cognizant of the evolving risks associated with cybersecurity and recognize a material cybersecurity incident could adversely impact our financial results and condition. We further recognize the importance of maintaining processes to identify, mitigate, and manage those cybersecurity threats. No cybersecurity threats occurred during the year ended December 31, 2023 that have had, or are reasonably likely to have had, a material impact on our business or financial results. We utilize the National Institute of Standards and Technology ( NIST ) framework with our security program to identify, mitigate, and manage cybersecurity risks. We have implemented controls and a formal security policy following this framework. This security policy functions in conjunction with other policies, such as our acceptable use policy and our mobile device policy. We also maintain a specific incident response policy and procedure document including notification and participation of key workforce personnel and external stakeholders to contain, eradicate, and recover from any security incidents. The Company emphasizes the importance of security awareness to our workforce through the administration of third-party cybersecurity training and prioritizes the monitoring and prevention of unauthorized access to Company information technology ( IT ) assets such as networks, computers, mobile devices, applications, and stored information. Our internal IT team considers cybersecurity capabilities of third-party service providers prior to engaging them and on an ongoing basis. Our key external IT 8 vendors provide the Company with system and organizational control reports that are reviewed by our internal IT team and may reveal potential security risks. A third-party managed security services provider ( MSSP ) works in tandem with our internal IT team to implement and maintain processes and procedures to detect and handle identified security incidents, including the performance of phishing simulations to evaluate our workforce s ability to recognize malicious emails. Our MSSP team leaders have significant experience working in cybersecurity and employ a trained workforce designed to provide proactive and comprehensive cybersecurity care. Together with our MSSP, we also monitor the frequency and extent of cybersecurity threats and update our processes and procedures as necessary. On an annual basis, our internal auditors perform penetration testing and other assessments. Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee primary responsibility for oversight of our risk management programs, including processes and procedures related to cybersecurity threats and incidents. The Audit Committee oversees management s implementation of our cybersecurity risk management program. The Company s cybersecurity risk management program is under the direction of our Director of IT, who reports directly to our Chief Financial Officer. Our Director of IT drives collective focus and central coordination of our cybersecurity risk management program internally and oversees our retained external MSSP personnel. Management reports to the Audit Committee, at least quarterly, and more frequently if needed, on the Company s cybersecurity risk management program, including periodic assessments and tests addressing cybersecurity threats and incidents

Company Information