Arq, Inc. - (ARQ)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Definitions
Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.
Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.
Information systems means electronic information resources, owned, or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to maintain or support the registrant's operations.
21


Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We engage third parties in connection with our risk assessment processes. We require each third-party service provider to adhere to our internal security policies and certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. These service providers are primarily overseen by our Vice President of Information Technology ("VP of IT") and assist us in monitoring and testing our safeguards, including execution of external penetration testing and ongoing real time vulnerability assessments through our extended detection and response processes to identify cybersecurity threats. We conduct risk assessments in the event of a material change in our business processes that may affect information systems that are vulnerable to such cybersecurity threats through our normal change control processes. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote resources and personnel, including our VP of IT, who reports to our VP of Finance, to manage the risk assessment and mitigation process.
As part of our overall risk management, we monitor and test our safeguards and train our employees on the importance of these safeguards. We maintain a formal information security awareness training program for all employees that includes training on matters such as phishing, email security best practices and data protection. Employees also receive random phishing tests at regular intervals to further assess and mitigate overall risk.
We maintain a cybersecurity incident response plan to help ensure a timely, consistent and compliant response to actual or attempted cybersecurity incidents impacting the Company. The Response Plan includes (1) detection, (2) analysis, which may include timely notice to our management and audit committee chair, (3) containment, (4) eradication, (5) recovery and (6) post-incident review. We also maintain cybersecurity insurance to manage potential liabilities resulting from specific cybersecurity incidents. It is important to note that although we maintain cybersecurity insurance, there can be no guarantee that our insurance coverage limits will protect us against any future claims or that such insurance proceeds will be paid to us in a timely manner.
To date there have been no cybersecurity incidents that have materially affected the Company or its operations. Despite security measures we have implemented, there is always the risk that certain cybersecurity incidents could materially disrupt operational systems limiting our ability to manufacture and deliver products to customers.
Governance
Our VP of IT has approximately five years of experience in cybersecurity and oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our VP of IT is primarily responsible for assessing and managing our material risks from cybersecurity threats, including monitoring and assessing strategic risk exposure.
While management is responsible for the day-to-day management of cybersecurity policies and procedures, our audit committee is tasked with oversight of our risk management process, which includes risks from cybersecurity threats. The processes by which our audit committee is informed about and monitors the Company’s strategy regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the following:
Our VP of IT provides quarterly briefings to the audit committee regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, emerging threats and updates, cybersecurity systems testing, activities of third parties, and the like. Our audit committee and VP of IT provide regular updates to the board of directors on such reports. In the event of an actual cybersecurity threat or incident, management is notified in accordance with the cybersecurity response plan above.
22