SUPERIOR INDUSTRIES INTERNATIONAL INC - (SUP)

10-K Filing Date: March 07, 2024
ITEM 1C. - CYBERSECURITY

Cybersecurity Risk Strategy and Management

Our cybersecurity strategy is focused on cyber-resilience, the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources. Continuous improvement actions are designed to drive to a zero-trust architecture and a cyber-resilient enterprise. While this cyber-resilience strategy is in place, our systems, and those of our customers, suppliers and other service providers, are subject to cybersecurity incidents. A system disruption could result in business disruption, theft of our intellectual property, trade secrets or customer information and unauthorized access to personnel information. To the extent that our business is interrupted, or data is lost, destroyed or inappropriately used or disclosed, such disruptions could significantly and adversely affect our competitive position, relationships with our customers and other stakeholders, financial condition, operating results and cash flows. In addition, we may be required to incur significant costs to protect against these disruptions or security breaches in the future.

Superior employs a risk-based vulnerability management process for assessing and managing cybersecurity risk. Utilizing the National Institute of Standards and Technology (“NIST”) cybersecurity framework, the IT team assesses the risk based on the Center for Internet Security Critical Security Controls. The assessment includes the ability to identify, protect, detect, respond and recover from cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers. The risk-based vulnerability management prioritizes action under both an asset context and vulnerability context, considering factors such as asset exposure, potential business impact, threat context and vulnerability severity.

Business email compromise (“BEC”) continues to be a top threat for cybersecurity risk leading to potential financial loss, data breach or further information systems compromise. Variants and combinations of BEC, including phishing, spear phishing, “adversary in the middle” attacks (i.e., attacks that allow interception of network communications) and, in particular, “zero-day” attacks (i.e., attacks that exploit a previously unknown vulnerability), present a financial, data loss and business continuity risk. The risk of these attacks exists within the Company, within our customer partners and within our vendor partners in the supply chain. BEC prevention is a top focus in our risk-based cyber-resiliency strategy. In addition to BEC, potential vulnerabilities could exist in business systems and associated infrastructure and are mitigated via protocol for managing update “patches”; this protocol is sometimes limited based on the era of legacy systems.

Superior engages cybersecurity partners and consultants to help strengthen its cyber-resiliency program. These engagements include but are not limited to incident response (“IR”) planning and IR retainers, penetration testing, vulnerability assessments, IR plan testing, and advisement and awareness of latest threat vectors.

All of the Company’s global suppliers must comply with its Supplier Code of Conduct (“SCOC”). The SCOC contains certain data security and notification requirements, and the Company explicitly maintains the right to monitor and audit compliance with the SCOC.

Cybersecurity Governance

The Board of Directors maintains overall oversight of cybersecurity risk, and the Audit Committee provides direct oversight of the Company’s activities to prevent, detect and respond to cybersecurity threats. The Chief Information Officer (“CIO”) and a designated system security engineer are the primary responsible management parties to monitor, assess, and manage cybersecurity risk. Our CIO has led global IT organizations for over ten years with direct oversight responsibility for cybersecurity, the global IT landscape and its data integrity. Our security engineer is solely focused on monitoring, assessing, and managing Superior’s cybersecurity breach prevention, detection and management, including the ongoing cybersecurity risk education of our employee base. Our security engineer’s experience includes the design and implementation of IT security systems, tools, and processes, comprehensive security assessments, and the implementation of remediating action plans for detected weaknesses.

Risk is monitored and managed through a combination of vulnerability assessments, continuous monitoring, endpoint protection, incident response planning, security awareness training, regulatory compliance monitoring, and threat intelligence.

Utilizing the NIST cybersecurity framework, the CIO provides quarterly updates to the Audit Committee on cybersecurity risk management, including the Company’s latest risk assessment, action plan status and metrics. The Audit Committee regularly briefs the full Board on these matters. In addition, the CIO provides an annual report to the Board on the Company’s cybersecurity plan and key activities.

Management roles and responsibilities of Superior’s cybersecurity incident management are defined within the Company’s IR plan. The plan includes the formation of the Security Incident Response Team responsible for leading incident response. In the event of specific cybersecurity incidents, defined sub-teams are engaged, as necessary, to monitor the mitigation and remediation of cybersecurity incidents. These sub-teams are comprised of cross-functional experts including, but not limited to, legal, accounting, operational and IT leadership and relevant external counsel.

16


 

All incidents are prioritized and assessed for materiality. Cybersecurity incidents are reported to relevant stakeholders in accordance with the incident response plan. All notable cybersecurity incidents as well as the number of cybersecurity incidents are reported quarterly to the Board of Directors.