AMPCO PITTSBURGH CORP - (AP)
10-K Filing Date: March 25, 2024
Risk Management
The Corporation’s risk management program includes focused efforts to identify, assess and manage cybersecurity risks including, but not limited to, the following:
11
The Corporation’s information security program is managed by its Data Protection Manager (“DPM”) and its Information Technology Department (collectively, the “IT Team”). The DPM has extensive experience in cyber and global data protection initiatives with the Corporation and reports directly to the Corporation’s Chief Executive Officer. The IT Team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes.
In addition, the Corporation has established a Cybersecurity Materiality Assessment Team (“CMAT”) for the purpose of evaluating specific cyber incidents or a series of related incidents. It includes certain of the Corporation’s senior managers with cross-functional representation from operations, finance/accounting, information technology, risk management and human resources. CMAT is responsible for assessing the potential materiality of a cyber-incident based on the actual and anticipated potential impact to the Corporation’s results of operations, financial position and cash flows; operations including disruptions and downtime; strategic plans; confidential information; employee and community health and safety; customers and vendors; investors; regulatory compliance; and reputation.
Engage Third Parties
As part of the Corporation’s cybersecurity risk management process, the Corporation engages a range of third parties, including consultants and advisors, to assist with security assessments and operations, employee training and awareness, compliance, penetration testing, network and endpoint monitoring, threat intelligence, and the Corporation’s vulnerability management platform. These relationships enable the Corporation to access specialized knowledge and insights with respect to its cybersecurity strategies and processes.
Risks from Cybersecurity Threats
From time to time, the Corporation has experienced attempts by unauthorized parties to access or disrupt its information technology systems. To date, it has not experienced any known material breaches or material losses related to cyber-attacks. However, a failure of the Corporation’s information systems or a cybersecurity breach could materially and adversely affect its business, results of operations and financial condition. See additional information provided under Item 1A, Risk Factors. The Corporation manages its cybersecurity risk by limiting its threat landscape. For example, the Corporation does not store, transmit or process many of the types of data commonly targeted in cyber-attacks, such as consumer credit card or financial information. The Corporation recognizes cyber-threats are a permanent part of the risk landscape, and new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority.
Monitoring Cybersecurity Incidents
The Corporation’s efforts to prevent and detect cybersecurity incidents include continuous monitoring of the Corporation’s networks. Employees throughout the Corporation are trained to report cybersecurity threats as they are identified. If an incident occurs or is suspected, it is reported to the DPM who completes an initial assessment of the incident and assigns a priority level, as outlined in the IRP, to the incident. Simultaneously, the DPM initiates the review process with CMAT and proceeds with the remediation process for recovery and eradication.
The CMAT assesses potential materiality of the confirmed or suspected security incident based on the actual or anticipated potential impact to the Corporation’s results of operations, financial position and cash flows; operations including disruptions and downtime; strategic plans; confidential information; employee and community health and safety; customers and vendors; investors; regulatory compliance; and reputation.
The DPM reviews any material cybersecurity threats or incidents, as defined in the IRP, with the Audit Committee when they occur and non-material threats or incidents on a regular basis. Materiality of a cybersecurity threat or incident gives consideration to the potential and actual impact of the cybersecurity threat or incident.
Board of Directors Oversight
The Audit Committee of the Board of Directors (the “Audit Committee”) oversees and reviews the design and effectiveness of the Corporation’s cybersecurity program and its contingency plans and provides regular reports to the Board of Directors of the Corporation. The DPM provides periodic reports to the Audit Committee, the Corporation’s Chief Executive Officer, Chief Financial
12
Officer, and other members of senior management at each of the Audit Committee meetings and in the event of a cyber incident deemed material. These reports include updates on the Corporation’s cyber risks and threats, the status of projects to strengthen its information security systems, assessments of the information security program, and the emerging threat landscape.