Alto Ingredients, Inc. - (ALTO)
10-K Filing Date: March 14, 2024
We recognize the critical importance of maintaining the trust and confidence of our customers, business partners, employees and other stakeholders. We engage in active oversight of cybersecurity, a cornerstone of our comprehensive enterprise risk management (ERM) program. Our cybersecurity framework is rooted in the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, as well as the International Organization for Standardization (ISO/IEC 27001), reflecting our commitment to uphold the highest cybersecurity standards. We align our policies, standards and practices with these benchmarks and dynamically refine them to address evolving cybersecurity threats.
Risk Management and Strategy
We maintain a cybersecurity program aligned with NIST CSF standards designed to identify critical assets and vulnerabilities, protect them with appropriate safeguards, promptly detect cybersecurity events, respond effectively to mitigate their impact and recover from incidents to restore services. Our cybersecurity program is designed to safeguard the confidentiality, integrity and availability of information. Our cybersecurity risk management strategy includes:
● | Governance: The Audit Committee of our Board of Directors oversees our cybersecurity risk management. Our Chief Financial Officer and Director of Information Technology, along with key executives, have roles in governance and facilitating alignment across our organization. |
● | Compliance and Standards: We design our cybersecurity program for compliance with industry-specific and other regulations (e.g., the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)) demonstrating our commitment to both domestic and international information security standards. |
Technical Safeguards
We deploy technical defenses against cybersecurity risks of attack and other incidents, including firewalls, intrusion detection and prevention systems and access controls. We refine these measures based on our ongoing assessments, including cybersecurity threat intelligence updates.
● | Incident Response and Recovery Planning: We maintain incident response and recovery frameworks, tested twice yearly through simulations and tabletop exercises, to improve our preparedness to effectively manage and mitigate cybersecurity incidents. |
-26-
● | Education and Awareness: Our personnel undergo mandatory periodic training on cybersecurity threats, with updated insights into effective defense mechanisms and our evolving cybersecurity policies and practices. |
● | Use of Third Parties: We collaborate with external cybersecurity service providers, including auditors and consultants, to refine our cybersecurity measures. These service providers carry out cybersecurity risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. In addition, we employ third-party technology and other solutions to enhance our protection against cybersecurity risks. These solutions include our use of a managed security service provider to support our in-house technology team, an endpoint detection and response, or EDR, system for ongoing surveillance, detection, and action against threats, as well as a security information and event management, or SIEM, system designed to automate the real time identification, investigation and prioritization of critical alerts. |
● | Third-Party Risk Management: We use a comprehensive due diligence process to manage third-party risks, emphasizing continuous monitoring and to ensure our business partners’ cybersecurity practices meet our stringent standards. |
As of the filing of this report, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect, Alto Ingredients, Inc.
Governance
● | We take a comprehensive and forward-looking approach to cybersecurity risk management under the oversight of our Audit Committee. Management, including our Chief Financial Officer and our Director of Information Technology, provide regular updates to ensure a strategic, unified response to cybersecurity challenges. Management is notified of, and monitors, cybersecurity incidents through our EDR and SIEM systems. |
● | Our Director of Information Technology has over 20 years of experience in information technology and five years of experience serving directly as a Chief Information Security Officer for other organizations. |
● | Our networks and systems are continuously monitored by a combination of third-party service providers and an internal cybersecurity team. Management is promptly notified of cybersecurity incidents. |
● | Our Audit Committee is promptly notified by our management of any material cybersecurity breach. |
● | Our Board of Directors is briefed at least annually on the state of our cybersecurity program. |
● | Our internal cybersecurity team collaborates with external cybersecurity service providers, including auditors and consultants, to refine our cybersecurity measures. These service providers carry out cybersecurity risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. |
-27-
Engagement and Continuous Improvement
We periodically evaluate our cybersecurity measures through internal and external audits and assessments to ensure our cybersecurity program is at the forefront of industry best practices. The results of these audits and assessments inform adjustments to our cybersecurity program to improve our resilience against emerging cybersecurity threats.