AZZ INC 10-K Cybersecurity GRC - 2024-04-22

Page last updated on April 22, 2024

AZZ INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-22 06:16:07 EDT.

Filings

10-K filed on 2024-04-22

AZZ INC filed an 10-K at 2024-04-22 06:16:07 EDT
Accession Number: 0000008947-24-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the critical importance of cybersecurity in today’s digital landscape and acknowledge the inherent risks associated with cyber threats. As such, cybersecurity is an integral component of our overall risk management strategy and corporate governance framework. To meet business objectives, we rely on both internal information technology systems and networks, and those of third parties and their vendors, to process and store sensitive data, including confidential research, business plans, financial information, intellectual property, and personal data that may be subject to legal protection, and to ensure the continuity of our supply chain. We maintain a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The underlying controls of this program are based on recognized best practices and standards for cybersecurity and information technology, including those set forth in the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Among the key elements of our cybersecurity risk management program are the following: Security Awareness and Training - We use an IT security awareness program consisting of training on the fundamentals of information security protection. These training courses are provided annually to all employees. Annual Risk Assessment - An annual risk assessment is conducted by a third party, which is designed to assess the effectiveness of the Company’s security controls and to identify key risks. Network Protection - Network protection, detection, and monitoring technologies have been deployed on all external and internal network connections to segment different sections of the business from each other to strengthen key protection capabilities. Identity and Access Management - We have implemented user authentication controls on the Company’s systems, devices, data and applications. In addition, multi-factor authentication is implemented for all personnel who remotely access or have privileged account access to systems and networks. Penetration Testing We have partnered with a third-party penetration testing company to help identify new vulnerabilities and continuously improve the security posture of the Company through annual testing. Endpoint Detection and Response (“EDR”) EDR is an integrated, layered approach to endpoint protection that uses continuous monitoring and data analytics. We have partnered with a third-party security operations center, to provide critical support in monitoring, identifying and assessing cyber threats such as malware, ransomware, breaches, and denial of service attacks. Security Incident Management - In the event of a cybersecurity incident, we have established an incident response plan, which outlines clear protocols for incident detection, containment, investigation, and resolution, aiming to minimize the impact on our operations, customers, and stakeholders. We do not believe that any risks from cybersecurity threats, including any as a result of prior cybersecurity incidents we have experienced, have had a material adverse impact on our operations, business or financial condition. For more information regarding the risks we face from cybersecurity threats, see “Item 1A. Risk Factors.” Our approach to cybersecurity governance is embedded within the broader governance structure of the Company. The Audit Committee of the Board of Directors is tasked with reviewing our policies and procedures related to cybersecurity risks, 20 Table of Contents including the Company’s cybersecurity risk management program discussed above, to ensure their alignment with industry best practices and regulatory standards. The Audit Committee and the Board of Directors (“Board”) regularly engages with management to assess cybersecurity risks, mitigation efforts, and the overall effectiveness of our cybersecurity program. Our Director of Information Technology Infrastructure leads a dedicated management committee responsible for overseeing cybersecurity matters. The Information Security committee contributes decades of experience in technology, cybersecurity, architecture, and incident response in both military and private sector with certifications including Certified Information Systems Security Professional (“CISSP”), Certified Ethical Hacker (“CEH”), CompTIA Secure Infrastructure Specialist (“CSIS”), and degrees in cybersecurity, data science, and computer science. Collectively, this team has served in various large, publicly traded companies, implementing and managing robust IT and cybersecurity programs, developing tools, and safeguarding internal networks, business applications, customer-facing applications, and payment systems. This committee consists of members with diverse expertise, including information technology, legal, risk management and finance, who collaborate to provide strategic guidance, evaluate potential risks and ensure the adequacy of our cybersecurity measures. The committee regularly provides updates to senior leadership and the Audit Committee, as well as the full Board, which includes information regarding our cybersecurity program initiatives, program performance, and the reporting provided by third party service providers.

Company Information