ALPHA PRO TECH LTD - (APT)
10-K Filing Date: March 13, 2024
Cybersecurity
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, to inform our professionals’ risk identification and assessment.
We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our program to best practices, as well as by engaging experts to attempt to infiltrate our information systems (as such term is defined in Item 106(a) of Regulation S-K). We test and review the result on a semi-annual basis.
Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K), and to provide for the availability of critical data and systems and to maintain regulatory compliance. These controls include the following activities:
● | monitor emerging data protection laws and implement changes to our processes designed to comply; |
● | conduct regular cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; |
● | conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; |
● | through policy, practice and contract (as applicable) require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care; |
● | leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; |
● | maintain multiple layers of controls, including embedding security into our technology investments, multi-factor authentication tools, apply policy of least privilege to data and systems access, monitor logins both at network perimeter and within, segment and firewall system access within the network perimeter not solely at network edge or perimeter; |
● | perform annual system access audit with all departments and personnel |
● | review access logs on all perimeter, security and sensitive data areas |
We perform periodic internal assessments to test our cybersecurity controls and regularly evaluate our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity or personal data breaches, and we perform periodic internal assessments to test our controls and to help us identify areas for continued focus, improvement, and/or compliance.
We have established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our board when found. In addition, our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Security breaches and other disruptions to the Company’s information technology infrastructure could interfere with the Company’s operations, compromise information belonging to the Company and our customers and suppliers and expose the Company to liability, which could adversely impact the Company’s business and reputation” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K which disclosures are incorporated by reference herein.
In the last fifteen fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.
Cybersecurity Governance
Cybersecurity is an important part of our enterprise risk management program and an area of increasing focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Management is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management process described above, including the operation of our incident response plan. Annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management process and strategy covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials, including current and emerging material cybersecurity threat risks and describing the company’s ability to mitigate those risks, and discusses such matters with our IT Manager.
Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management process. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management process, which is discussed in greater detail above, is led by our IT Manager. Such individual has over twenty five years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs.
Our IT manager skills are further enhanced by MCSA and MCSE certifications and a foundation in Computer Engineering studies at university. Our IT manager has a strong track record of working with major vendors' security, firewall, identity management, and other platforms, ensuring robust and resilient IT infrastructures.
|