APOGEE ENTERPRISES, INC. 10-K Cybersecurity GRC - 2024-04-26

Page last updated on July 2, 2024

APOGEE ENTERPRISES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-26 14:47:14 EDT.


10-K filed on 2024-04-26

APOGEE ENTERPRISES, INC. filed an 10-K at 2024-04-26 14:47:14 EDT
Accession Number: 0000006845-24-000088

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the critical importance of maintaining the confidentiality, integrity and availability of our information systems and data, and of effectively, assessing, identifying and managing cybersecurity and related risks. Our cybersecurity risk management program is integrated into our Enterprise Risk Management framework and utilizes a holistic approach to addressing cybersecurity risk, and it is supported by our employees, cybersecurity team, senior management, the Enterprise Risk Management committee (a committee comprised of primary corporate functions) and our Board of Directors. The underlying controls for the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) and the Center for Internet Security Benchmark (CIS). Our cyber risk management program includes an incident response plan for evaluation, response and reporting of cybersecurity incidents, including notification of the Board and third parties, as appropriate. Under the plan, a Cybersecurity Intake Team (CIT), which is comprised of the Chief Information Officer (CIO), Senior Director of Information Security (SDIS) and other executive management, is responsible for a materiality assessment of cybersecurity incidents, taking into consideration both quantitative and qualitative factors, and subject to ongoing monitoring and escalation based on materiality. Third party vendors and suppliers also play a role in our cyber risk management program. In circumstances where such third parties will access our systems and data, our SDIS participates in the vendor management process, including the review of contractual requirements and contractually imposing obligations on the vendor to report cybersecurity incidents to us so that we can assess the impact. In addition to the incident response plan and vendor management process, our cyber risk management program includes: - an information technology and cybersecurity training program, and ongoing employee testing to evaluate the effectiveness of quarterly internal training and awareness communications; - external advisors to assist with cybersecurity risk assessment, including third-party monitoring of the Company’s systems, external network penetration testing, and yearly cyber event preparedness exercises; - development of strategies to mitigate cyber risks; - crisis management, business continuity, and disaster recovery plans. We have not encountered cybersecurity incidents or identified risks from cybersecurity threats that have had a material adverse effect on our operations or financial standing. Notwithstanding the efforts we take to manage our cybersecurity risk, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks. Governance Management’s Role in Managing Risk Within our organization, our CIO, who reports to our CEO, oversees our cybersecurity function. Our SDIS reports to our CIO and is generally responsible for management of cybersecurity risk and the protection and defense of our network and systems, including the development and management of policies and processes to identify, contain, and investigate potential incidents and ensure recovery therefrom. Our SDIS has over 15 years of experience managing information technology and cybersecurity matters in multiple industries. The SDIS maintains Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications and holds a degree in information technology management. Board’s Role in Oversight Our full Board oversees our cyber risk management program, and includes cybersecurity as part of the assessment of the Company’s overall Enterprise Risk Management program. At least twice per year, and more frequently, if necessary, our CIO updates our Board on the Company’s cyber risk profile and the steps taken by management to mitigate those risks. In the event of a material cybersecurity incident, the Board would receive prompt and timely information regarding the incident, as well as ongoing updates regarding such incident until it has been addressed. Cybersecurity-related risks are included in the Enterprise Risk Management committee’s evaluation of top risks to the enterprise, which are also presented to the Board and executive management twice per year.

Company Information

SIC DescriptionGlass Products, Made of Purchased Glass
TickerAPOG - Nasdaq
CategoryLarge accelerated filer
Fiscal Year EndMarch 1