AMPCO PITTSBURGH CORP 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

AMPCO PITTSBURGH CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 17:29:15 EDT.

Filings

10-K filed on 2024-03-25

AMPCO PITTSBURGH CORP filed an 10-K at 2024-03-25 17:29:15 EDT
Accession Number: 0000950170-24-036011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management The Corporation s risk management program includes focused efforts to identify, assess and manage cybersecurity risks including, but not limited to, the following: Developing and maintaining a standardized Written Information Security Policy ( WISP ), which provides specific provisions pertaining to employee training, network security, data security, and confidential information for use and adherence by all pertinent operating entities of the Corporation Developing and maintaining an Incident Response Plan ( IRP ), which provides specific directives in the event of a cyber-attack including identifying the attack, containing and eradicating the cyber-threat, avoiding and minimizing damages, reducing recovering time, and mitigating future cybersecurity risks Aligning the Corporation s risk management program, as outlined in the WISP and the IRP, with the National Institute of Standards and Technology Cybersecurity Framework to prevent, detect and respond to cyber-attacks Requiring all employees with access to the Corporation s networks to participate in regular and mandatory training on how to be aware of, and help defend against, cybersecurity risks, combined with periodic testing to measure the efficacy of the training efforts 11 Testing vulnerability of the Corporation s key systems to cybersecurity risks, including targeted penetration testing, tabletop incident response exercises, periodic audits by outside industry experts, and regular vulnerability scanning Maintaining adequate business continuity plans and critical recovery backup systems Engaging external cybersecurity experts in incident response development and management and Maintaining adequate cyber insurance for damages caused by a cyber-attack. The Corporation s information security program is managed by its Data Protection Manager ( DPM ) and its Information Technology Department (collectively, the IT Team ). The DPM has extensive experience in cyber and global data protection initiatives with the Corporation and reports directly to the Corporation s Chief Executive Officer. The IT Team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. In addition, the Corporation has established a Cybersecurity Materiality Assessment Team ( CMAT ) for the purpose of evaluating specific cyber incidents or a series of related incidents. It includes certain of the Corporation s senior managers with cross-functional representation from operations, finance/accounting, information technology, risk management and human resources. CMAT is responsible for assessing the potential materiality of a cyber-incident based on the actual and anticipated potential impact to the Corporation s results of operations, financial position and cash flows operations including disruptions and downtime strategic plans confidential information employee and community health and safety customers and vendors investors regulatory compliance and reputation. Engage Third Parties As part of the Corporation s cybersecurity risk management process, the Corporation engages a range of third parties, including consultants and advisors, to assist with security assessments and operations, employee training and awareness, compliance, penetration testing, network and endpoint monitoring, threat intelligence, and the Corporation s vulnerability management platform. These relationships enable the Corporation to access specialized knowledge and insights with respect to its cybersecurity strategies and processes. Risks from Cybersecurity Threats From time to time, the Corporation has experienced attempts by unauthorized parties to access or disrupt its information technology systems. To date, it has not experienced any known material breaches or material losses related to cyber-attacks. However, a failure of the Corporation s information systems or a cybersecurity breach could materially and adversely affect its business, results of operations and financial condition. See additional information provided under Item 1A, Risk Factors . The Corporation manages its cybersecurity risk by limiting its threat landscape. For example, the Corporation does not store, transmit or process many of the types of data commonly targeted in cyber-attacks, such as consumer credit card or financial information. The Corporation recognizes cyber-threats are a permanent part of the risk landscape, and new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority. Monitoring Cybersecurity Incidents The Corporation s efforts to prevent and detect cybersecurity incidents include continuous monitoring of the Corporation s networks. Employees throughout the Corporation are trained to report cybersecurity threats as they are identified. If an incident occurs or is suspected, it is reported to the DPM who completes an initial assessment of the incident and assigns a priority level, as outlined in the IRP, to the incident. Simultaneously, the DPM initiates the review process with CMAT and proceeds with the remediation process for recovery and eradication. The CMAT assesses potential materiality of the confirmed or suspected security incident based on the actual or anticipated potential impact to the Corporation s results of operations, financial position and cash flows operations including disruptions and downtime strategic plans confidential information employee and community health and safety customers and vendors investors regulatory compliance and reputation. The DPM reviews any material cybersecurity threats or incidents, as defined in the IRP, with the Audit Committee when they occur and non-material threats or incidents on a regular basis. Materiality of a cybersecurity threat or incident gives consideration to the potential and actual impact of the cybersecurity threat or incident. Board of Directors Oversight The Audit Committee of the Board of Directors (the Audit Committee ) oversees and reviews the design and effectiveness of the Corporation s cybersecurity program and its contingency plans and provides regular reports to the Board of Directors of the Corporation. The DPM provides periodic reports to the Audit Committee, the Corporation s Chief Executive Officer, Chief Financial 12 Officer, and other members of senior management at each of the Audit Committee meetings and in the event of a cyber incident deemed material. These reports include updates on the Corporation s cyber risks and threats, the status of projects to strengthen its information security systems, assessments of the information security program, and the emerging threat landscape.

Company Information