AMERICAN VANGUARD CORP - (AVD)

10-K Filing Date: March 28, 2024
ITEM 1C. CYBERSECURITY

Risk Management & Strategy. AVD has adopted a comprehensive set of controls and processes to encourage a high level of awareness of, and responsiveness to, cybersecurity threats. The foundational document outlining the program is embodied in Registrant’s Enterprise Information Security Policy (the “REIS Policy”). The REIS Policy establishes a framework for the continuous monitoring of its computing resources, the maintenance and reporting of audit logs and the assessment of events that could form the basis of a threat. In addition, the REIS Policy sets forth requirements for employee awareness training, user authentication, software usage restrictions and boundary protection, among other things. The policy also establishes an incident response plan, including back-up hosting, alternate processing and system recovery, along with assignment of responsibility and resources for those activities. Within the exhibit of the REIS Policy, management either working alone or, in case of greater complexity, with consultants, will assess an incident or series of incidents for materiality, taking into account the nature of the incident,, duration, the nature of data compromised, and the nature of damages (including with respect to reputational, third party, share price, and business interruption) and all within the context of the Company's financial performance during the affected reporting period(s).

Furthermore, AVD has taken measures to prevent cybersecurity breaches, to minimize threats and, to the extent possible, to anticipate trends and identify vulnerabilities before arising to the level of an incident. In short, AVD is pro-active in its approach and has formulated a specific plan to investigate, respond and minimize loss of functionality or other damage from an incident. There are no cybersecurity threats, including as a result of prior incidents, that have materially affected the Company, including our business strategy, results of operations or financial condition as of the date hereof to our knowledge.

Governance. The REIS Policy has been drafted in collaboration with one of the largest IT solutions providers in the field and was modeled after NIST standards relating to governance, documentation and processes. The Company is implementing the REIS Policy through its Cyber and Privacy Risk Steering Committee (the “CPRSC”), which is chaired by the Chief Administrative Officer (who is also AVD’s Risk Manager) and includes cross functional business process owners from operations, sales, marketing, finance and Human Resources, as well as our Director of Information Technology, who alone has over 30 years’ experience in IT-related security and whose staff collectively has over 50 years’ experience in this area. In addition, the committee is advised by a virtual Corporate Information Security Officer who works with the third-party solutions provider.

AVD's Board of Directors maintains oversight of cybersecurity planning, response and reporting as follows. The Lead Director, Scott Baskin, who also serves as Chair of the Risk Committee and member of the Audit Committee, is Cybersecurity Liaison to AVD’s management team. The Chair of the CPRSC reports on cybersecurity preparedness, issues and incidents to the Cybersecurity Liaison regularly. Through this reporting structure, the cybersecurity team has direct interaction with the highest level of the Board and with both the Risk and Audit Committees. Cyber risk has been a subject of regular review and discussion at the Risk Committee for several years. With the advent of the CPRSC, the delineation of governance and responsibility has become that much more focused.