FutureFuel Corp. - (FF)

10-K Filing Date: March 14, 2024
Item 1C.

Cybersecurity.

 

Risk Management and Strategy

 

The Company understands the importance of managing risks from cybersecurity incidents and utilizes a multilayered strategy guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework for assessing, identifying, detecting and responding to threats and other potential incidents. Key aspects of our strategy for managing risks of cybersecurity threats include:

 

 

Timely security patching of endpoints;

 

Network and endpoint-based monitoring with autonomous protection capabilities;

 

Backups which are regularly tested for recovery with key backups hardened against malicious access;

 

Third-party security services for audit, benchmarking, and improvement of our cyber security program;

 

Ongoing monitoring and evaluation of our cybersecurity posture and performance through regular vulnerability scans, simulated phishing tests, and penetration tests;

 

Oversight of third-party service providers by conducting vendor diligence upon onboarding and ongoing monitoring;

 

An incident response plan designed to coordinate the activities that we and our third-party security service providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate incidents, as well as to comply with applicable legal obligations and mitigate any reputational damage;

 

Structured management of change process to ensure material changes to our systems or operations have an updated assessment of their potential impact associated with internal and external threats to the security, confidentiality, integrity, and availability of our data and systems, along with other material risks to our operations;

 

Ongoing, annual employee security awareness training; and

 

Cybersecurity insurance coverage to help mitigate the risk of loss from cybersecurity incidents.

 

To date, the Company does not believe that cybersecurity incidents have materially affected the Company, its business strategy, results of operations, or financial condition. The Company cannot provide assurance that it will not be materially affected by any future material cybersecurity incidents. For more information about the cybersecurity risks the Company faces, see Item 1A, Risk Factors, above.

 

Governance

 

The Company’s Information Technology (“IT”) Director is responsible for developing and implementing our cybersecurity program and has over 20 years of cybersecurity experience in various roles involving information security, developing cybersecurity strategies, and implementing cybersecurity programs. Our program includes that all employees complete annual cybersecurity awareness training. The IT Director is responsible for reporting audit findings and risk information to the Company’s Chief Financial Officer (“CFO”).

 

Our board of directors is responsible for overseeing our enterprise risk management activities in general, and each of the committees of our board of directors assists the board of directors in the role of risk oversight. The Audit Committee of the board of directors oversees our cybersecurity risk and receives reports from time to time from our CFO on cybersecurity risk management. Promptly after becoming aware of a material cybersecurity incident affecting our IT systems or data, the IT Director would work with management to formulate a mitigation plan and review compliance with such plan, as well as to ensure compliance with any external regulatory or disclosure requirements, including any disclosures of material cybersecurity incidents.

 

 

27

 

© 2024 Material-Incidents. All rights reserved.