ASTEC INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 18, 2025

ASTEC INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:25:00 EST.

Filings

10-K filed on 2025-02-26

ASTEC INDUSTRIES INC filed a 10-K at 2025-02-26 16:25:00 EST
Accession Number: 0000792987-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have developed and implemented a comprehensive cybersecurity strategy and risk management program that is informed by the following key elements: - Periodic cybersecurity program maturity assessments to evaluate the overall controls, processes, skills and platforms leveraged to assess, identify and manage material risks from cybersecurity threats. - Periodic business impact assessments of key business processes and services that enable us to identify sensitive and critical aspects of the business, the impact of operational disruptions to those processes and services and the sensitivity of the data leveraged in those processes and services. - An external assessment of the cybersecurity risks associated with our operations. - Periodic penetration testing of our internal and external IT environment to validate the real-world efficacy of our cybersecurity program and mitigate the risks of new cybersecurity vulnerabilities. We utilize internal information technology resources for the primary aspects of our cybersecurity program. Our internal team is supported by external service providers and consultants as needed. We utilize third-party service providers to manage portions of our business operations. We have established processes to review, identify and manage cybersecurity risks associated with the use of service providers. Prior to engaging these providers, we review the providers’ SOC 2 Type II or other relevant security audit reports to ensure proper security controls are in place. We evaluate the service providers’ controls for incident response strategy to identify any significant risks and adapt accordingly. We systematically review these assessments for any significant change throughout the relationship. Our risk management program consistently monitors for risk to our systems and services presented by these service providers and promotes strategies to address any threats identified. To reduce the risk that we are materially impacted by a cybersecurity incident, we employ a multi-layered defense approach to cybersecurity leveraging our people, external resources, controls, tools and automated/monitored platforms to support the detection and response to cybersecurity incidents. We also have a cybersecurity incident response plan that outlines the steps we will take to respond to a cybersecurity incident, which is tested on a periodic basis. Additionally, we have a retainer for external forensics support if required for a material incident. Finally, we conduct cybersecurity training and awareness programs for relevant employees, periodically conduct tabletop exercises leveraging actual scenarios to validate and improve our cybersecurity incident response plan and ensure that our management has a thorough understanding of and experience executing their roles and responsibilities if a cybersecurity incident were to occur. Our cybersecurity strategy and risk management program is a component of our overarching enterprise risk management program and interfaces with other functional areas within the Company, including our business segments, legal, risk, human resources and internal audit departments. While we have experienced cybersecurity incidents in the past, we do not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our business or financial condition. However, there can be no assurance that we will not suffer a significant event in the future that could materially affect our business, financial position, results of operations or cash flows. For more information on how cybersecurity risk may materially affect our business, financial positions, results of operations or cash flows, please refer to Part I, Item 1A. Risk Factors hereof. Governance Our Board of Directors has primary responsibility for evaluating cybersecurity risk management, overseeing our major cybersecurity risk exposures and the steps management has taken to monitor and control these exposures, including policies and procedures for assessing and managing risk, as well as oversight of compliance related to legal and regulatory exposure. The management positions responsible for assessing and managing cybersecurity risks include our Director of Cybersecurity and our Chief Information Officer (“CIO”) , who reports directly to our Chief Executive Officer (“CEO”). Our CIO is responsible for ensuring that we have a cybersecurity risk management program in place that is fully aligned with business requirements and strategy. Our CIO and Director of Cybersecurity both have over 20 years of cybersecurity oversight experience. Our CIO previously served as CIO for a New York Stock Exchange listed manufacturing company prior to joining the Company. Additionally, our Director of Cybersecurity has experience developing and implementing cybersecurity programs for multiple manufacturing firms. 19 Table of Content s As part of our defined cybersecurity policies and cybersecurity incident response plan, management is regularly updated on the status of the execution of our cybersecurity strategy and daily operations of the program. This includes regular reporting and evaluation of all cybersecurity incidents, not only those that may be deemed material. Our CIO, supported by our Director of Cybersecurity, provides quarterly reports to the Board , which, generally includes: - Our cybersecurity risk profile; - Any changes to our cybersecurity strategy; - Status of the execution of the cybersecurity strategy; and - Summary of any material cybersecurity incidents that have occurred over the past quarter, including the nature, impact and resolution of incidents. In the event of a material cybersecurity incident, communication to the Board is provided pursuant to our cybersecurity incident response plan.

Company Information