ALTA EQUIPMENT GROUP INC. - (ALTG)
10-K Filing Date: March 14, 2024
Governance
Governance and oversight of cybersecurity risks and strategies form a core component of our risk management framework. Recognizing the critical importance of cybersecurity in protecting our operations and preserving shareholder value, we have established a governance structure that emphasizes proactive risk identification, management, and mitigation across the entirety of our organization.
Central to our governance approach is the active involvement of our Audit Committee, which plays a vital role in overseeing the Company's cybersecurity strategy. Alta's Audit Committee is a subset of our Board of Directors, which maintains oversight of our strategic direction regarding cybersecurity.
Key to the Audit Committee's effectiveness is its regular engagement with our cybersecurity team, as further described below, a practice that provides direct communication and alignment on cybersecurity matters. During these critical meetings, several pivotal areas are reviewed to assess the adequacy and effectiveness of our cybersecurity measures:
This structured approach to governance and oversight, with a clear emphasis on receiving feedback allows us to align with the entire Alta organization. By prioritizing the identification and management of cybersecurity risks at the highest levels, we aim to
17
safeguard our assets, protect shareholder interests, and maintain the continuity of our business operations in the face of evolving cyber threats.
Management
Our Senior Director of IT and Director of Security and Compliance have primary responsibility for assessing and managing cybersecurity risks. An internal team of cybersecurity experts execute our cybersecurity program while our VP of Information Services provides executive oversight. Combined, our experts bring multiple decades of cybersecurity experience and have earned cybersecurity-related certifications. Our internal team is bolstered by strategic third-party security partners leveraged to provide 24x7 monitoring and response. Third parties routinely assess our security practices providing tactical assistance or strategic guidance through audits and penetration tests. All members of the team routinely discuss emerging security threats and ways to mitigate risk.
Strategy
We utilize an in-depth layered approach to security. This allows us to respond and proactively mitigate cybersecurity risks, underscoring our commitment to the confidentiality, integrity, and availability of our data and systems. The Company has processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. Our strategy includes the deployment of advanced security products and rigorous penetration testing to identify and mitigate vulnerabilities by continuous vulnerability scanning and round-the-clock monitoring by both internal and external teams. This proactive stance is further bolstered by backup and recovery protocols, ensuring data resilience, and enhanced by email security measures and endpoint detection and response systems to thwart malicious activities.
Additionally, our commitment to security best practices is evident in our implementation of privileged access management, security awareness training for all employees, dark web monitoring, and 24x7 threat monitoring.
Our incident response plan is designed to address security incidents promptly and effectively, supported by stringent information security policies and the implementation of a Security Information and Event Manager (SIEM) system for real-time analysis and reporting of security events and incidents. Furthermore, identity management and mobile device management extend our security perimeter, safeguarding against both external and internal threats. As part of our annual security commitment, we undergo annual penetration testing to assess whether our necessary security controls are maintained.
The Company faces risks from cybersecurity threats that could potentially have an adverse effect on our business, financial condition, results of operations, cash flows and/or reputation. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have experienced threats to and breaches of our data and systems. For more information about the cybersecurity risks we face, see the risk factor entitled “Security breaches and other disruptions in the Company’s IT systems, including the Company’s ERP system, could limit the Company’s capacity to effectively monitor and control our operations, compromise ours or our employees', customers’ and suppliers’ confidential information, or otherwise adversely affect the Company’s operating results or business reputation” in Item 1A. Risk Factors.