AEMETIS, INC - (AMTX)
10-K Filing Date: March 29, 2024
Risk Management and Strategy
Aemetis' cybersecurity and information security framework includes physical, administrative and technical safeguards, as well as plans and procedures we believe are reasonable to help Aemetis prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact our operations, facilities and employees. These plans are based upon our assessment of risk considering our industry, specific operations, cyber perimeter, social exposure, information confidentiality and tertiary stakeholders.
Our efforts focus on protecting and enhancing the security of our information systems, software, networks, and other assets. These efforts are designed to protect against, and mitigate the effects of, among other things, cybersecurity incidents where unauthorized parties attempt to access confidential, sensitive, or personal information; potentially hold such information for ransom; destroy data; disrupt or degrade service or our operations; sabotage systems; or otherwise cause harm to Aemetis, our customers, suppliers, or other key stakeholders. We employ capabilities, processes, and other security measures we believe are designed to reduce and mitigate these risks.
Aemetis contracts with a primary Managed Security Provider (MSP) to provide services that assist us with assessing, enhancing, implementing and monitoring our cybersecurity risk management programs and responding to incidents. Aemetis maintains cyber recovery plans as well as a cybersecurity insurance policy.
Aemetis utilizes a third-party cybersecurity and information security awareness training programs. Training is administered and tracked through online learning modules and ongoing phishing simulations. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe our controls are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks.
Governance
Role of Management
Aemetis’ cybersecurity initiative is led by its Chief Financial Officer, who is in the unique position of being able to integrate cybersecurity with the financial internal control framework. He is responsible for administration of the cybersecurity and information security program and risk management, using his experience working with information technology and financial control system during a majority of his career, including over 10 years of overseeing the Aemetis information technology and security program.
We utilize a Managed Security Provider (MSP) who serves as the central point for identifying all cybersecurity incidents and reporting, including incidents that directly target company network, internal information systems and incidents originating from third parties. The MSP provides end-to-end operations for the purpose of monitoring, detecting, alerting and responding to cyber incidents. The MSP is also responsible for activating the containment and resolution efforts where appropriate to support Aemetis through the resolution of the incident.
The MSP escalates incidents with significant impact and pervasiveness to Aemetis’ Chief Financial Officer, who evaluates each incident in terms of its impact on Aemetis and operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. Our Chief Financial Officer, working with the executive management team, also manages the communication with our Board and outside parties. After initial identification, evaluation and escalation for material events, the MSP monitors all cybersecurity incidents for changes in degree of impact or pervasiveness.
Role of the Board
The Board of Directors ("Board") recognizes the importance of cybersecurity in safeguarding the sensitive data and protecting the perimeter of the computer network. The Board is responsible for overseeing overall risk management for the Corporation, including review of the cybersecurity program. As part of its oversight responsibilities, the Board receives an annual cybersecurity update from the Chief Financial Officer. The annual review includes oversight of cyber exposure, risk assessment, incident response, integration with other control activities, internal monitoring, and risk management processes, such as updates to Aemetis’ cybersecurity programs and mitigation strategies, and other cybersecurity developments.