TREDEGAR CORP - (TG)
10-K Filing Date: March 15, 2024
Item 1C. CYBERSECURITY
Tredegar’s business model depends on the efficiency and reliability of its information systems, networks, and essential assets, with a portion of these systems and networks being administered by third-party service providers. Tredegar’s Cybersecurity Program (the “Program”), which was designed utilizing a risk-based approach, was developed to not only prevent, identify, investigate, resolve, and mitigate potential cybersecurity vulnerabilities within Tredegar but also to enhance the information security posture of Tredegar’s operations involving third-party service providers.
Tredegar entrusts the third-party service providers with the responsibility to institute security measure protocols that are appropriately and proportionally tailored to the corresponding risks. Additionally, Tredegar also periodically conducts assessments of the third-party service providers’ security frameworks to verify the implementation of adequate security measures, to safeguard Tredegar against potential vulnerabilities.
The Program leverages a blend of automated systems, manual operations, and external evaluations to proactively identify and mitigate potential cybersecurity threats. Key components of the program include Tredegar’s Cybersecurity Incident Response Plan and Cyber Crisis Management Plan. These plans encompass a strategic approach that includes detection of threats, thorough analysis of cybersecurity incidents to determine whether timely notification to the Board of Directors is necessary, containment of incidents, eradication or mitigation of threats, recovery processes, and a comprehensive post-incident review.
To further strengthen its cybersecurity posture, Tredegar employs third-party consultants who work with the internal audit and information technology (“IT”) departments to assess Tredegar’s information security program and practices, including incident management, service continuity, and information security compliance programs, and identify areas for improvement.
10
The results of such an assessment are regularly presented to the Audit Committee. Notably, these assessments include periodic penetration tests, which allow Tredegar to identify vulnerabilities, refine procedures, and enhance its crisis management and recovery capabilities. The Program is also supported by an organizational structure, involving collaboration across various business sectors and an interdisciplinary Global Data Protection and Cybersecurity Oversight Team that meets regularly to identify information security risks and appropriate risk mitigation strategies. Additionally, because Tredegar recognizes the significant role that its employees play in information security, it provides annual formal information security training to all of its employees that covers critical topics such as phishing and email security best practices.
Tredegar’s IT Director has over 10 years of cybersecurity expertise, including a robust history of similar roles, cybersecurity certifications from EC-Council and ODU Global and holds a degree in Computer Science from Universidade Catolica de Pernambuco and an MBA in IT Management from Universidade Federal de Pernambuco. Our IT Director is responsible for overseeing the Program, including the prevention, mitigation, detection, and remediation of cybersecurity incidents. Tredegar’s IT Director also regularly collaborates closely with key management, including the Chief Financial Officer, General Counsel, Compliance Manager, and Human Resources Executive Director, to foster effective communication within Tredegar.
The Board is responsible for risk management, with specific oversight of cybersecurity risks being delegated to the Audit Committee. The Audit Committee receives updates from the IT Director at each of its quarterly meetings. These updates encompass an assessment of Tredegar’s cybersecurity risk profile, including the efficacy of Tredegar’s cybersecurity policies, procedures, strategies, and areas of emerging risk. Additionally, the Board receives annual, but often more frequent, updates on Tredegar’s cybersecurity systems.