POWER SOLUTIONS INTERNATIONAL, INC. - (PSIX)
10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity.
The Company continuously enhances policies and procedures, and controls to mitigate against the substantial rise in the prevalence of cybersecurity risks and challenges to protect its data.
Risk Management Strategy
The Company’s cybersecurity risk management function is lead by the Vice President of Information Technology, who evaluates processes and activities within the Company’s information technology infrastructure and automated systems. During 2023, the Company completed a detailed assessment to identify all technology and cyber tools currently in place and assessed its information technology personnel’s cybersecurity capabilities and skill sets. During 2023, the Company focused on formalizing cybersecurity procedures and defining standards for risk identification and communication activities. The Company utilizes the National Institute of Standards and Technology guidance in all cybersecurity policies and procedures. Annual training for employees is required as well as ad hoc trainings for specific topics or events as deemed appropriate throughout the year. The Company also has cyber insurance to assist the Company both financially and operationally if a cyber event were to occur. Below is the basic framework used in the Company’s risk management strategy:
•Identify - set of procedures to identify assets to be protected, including computation, data, and integrity;
•Protect - set of procedures to effectively engage and monitor adequate safeguards of critical infrastructure
services;
•Detect - set of activities, tools, and procedures to timely identify anomalies through continuous monitoring;
•Respond - set of activities to effectively respond to and contain detected and confirmed cybersecurity events, and
•Recover - set of activities and procedures to ensure any assets impaired because of a cybersecurity event are restored to use within the stated recovery point/time objectives.
23
The Company has taken steps to gain insights into how cybersecurity risk management functions have been integrated into its overall risk management systems and process. Below are the risk management activities regularly performed:
•Cybersecurity, as described above;
•Financial control risk assessment which is a formal part of the annual internal control program;
•Management’s risk assessment associated with the budgeting and strategic planning process;
•Annual update of risk factors in the Company’s Form 10-K by key executives;
•Legal risk assessment associated with our response to the Department of Justice proceeding, and
•A broader fraud risk assessment (also performed as part of the internal control program).
The Company’s information technology and risk management function is highly centralized, with the Corporate Controller and Vice President of Information Technology involved in most of the risk related activities which provides a consistent input throughout risk management activities as well as aiding in identifying dependencies and duplications. The Company engaged a third party who conducted its phishing and penetration tests in 2023. The Company is in the process of implementing new processes, procedures, and tools as a result of the observations from these tests and expects all actions to be implemented during 2024.
The Vice President of Information Technology oversees the population of third-party service providers connected to any of the Company’s networks. The Company obtains a Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting, Type 2 Report (“SOC-1 Report”) that reports on the fairness of the presentation of the service provider’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives throughout a specified period. The SOC-1 Report is reviewed by Internal Audit. The Company limits access to information based on the nature of the services performed by third party service providers which provides a significant level of risk management before third-party access to data.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. We face ongoing risks from certain cybersecurity threats, and we cannot provide assurance that, if those risks materialize, our business strategy, results of operations or financial condition will not be materially affected in the future. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.
Governance
The Audit Committee of the Board (the “Audit Committee”) has been designated as the board committee with oversight responsibility of cybersecurity as delegated in the Audit Committee charter. The below summarizes the role and the frequency in which the Audit Committee oversees and monitors cybersecurity risks:
•At least annually the Vice President of Technology presents compliance activities related to cybersecurity to the Audit Committee which includes those activities related to compliance with the cybersecurity disclosure regulations;
•Any material breaches would be disclosed to the Audit Committee either in regularly scheduled meetings or in calls with the Chair of the Audit Committee if the communication is urgent;
•Periodically, the Vice President of Information Technology provides updates to the Audit Committee on internal controls surrounding information technology (including cybersecurity);
•The Chair of the Audit Committee provides regular updates during the Audit Committee meeting activities which includes cybersecurity; and
•The Vice President of Information Technology presents updates on the cybersecurity program to the Company’s Board annually.
All cybersecurity events are communicated to the Corporate Controller and Internal Audit Vice President for disclosure considerations. Material and severe occurrences are escalated to the Chief Executive Officer and Chief Financial Officer for further review, discussion and remediation.
The Vice President of Information Technology is responsible for managing overall cybersecurity and cyber risks, including infrastructure, development, and cybersecurity. The Vice President of Information Technology has extensive and progressive experience in supporting information technology risks and objectives in manufacturing companies equivalent to the Company and is a Certified Information Systems Security Professional from ISC2, a leading association for cybersecurity professionals. The Company’s Vice President of Information Technology is required to have the following qualifications:
24
•Asset Security;
•Security Architecture and Engineering;
•Communication and Network Security;
•Identity and Access Management;
•Security Assessment and Testing;
•Security Operations; and
•Software Development Security.
Management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity threats by the Vice President of Information Technology. The Company’s information technology landscape is not large or complex and it has a limited data footprint which allows the Vice President of Information Technology to be directly responsible and stay aware of all incidents. The Company has sufficient tools and processes in place to allow the Vice President of Information Technology to be effective as the central point person of monitoring and reporting incidents.