FOSTER L B CO - (FSTR)
10-K Filing Date: March 06, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
The Company’s cybersecurity program is designed to protect its digital assets and information, and to allow for the secure storage and transmission of proprietary or confidential information regarding our customers, employees, job applicants, and other parties, including financial information, intellectual property, and personal identification information. The Company’s cybersecurity program is formed on a risk-based approach in accordance with industry best practices, and is calibrated with recommendations from third party risk management consultants, auditors, cybersecurity professionals, and cybersecurity insurers. Portions of our business are certified under the Cyber Essentials program. Additionally, the Company has performed an ISO 27001 gap analysis and goals have been set forth to comply with ISO 27001 company-wide.
Our cybersecurity program includes:
•a comprehensive cyber education program with ongoing employee cybersecurity awareness and training activities, which include frequent phishing simulation, testing, and ongoing education;
•access management and access controls with periodic reviews;
•protection of certain data through encryption at rest and in transit;
•endpoint and network monitoring and protection software;
•sensitive data transmission detection tools;
•the engagement of a managed detection and response service which monitors the Company’s environment at all times for threats, and in the event of an incident, provides proactive services;
•a vulnerability management program that includes identifying and managing the cybersecurity risk associated with third-party service providers, including third-party software, hardware, and network infrastructure;
•a dedicated internal cybersecurity team and a cyber incident response plan that provides controls and procedures to support appropriate identification, containment, response, investigation, reporting or and recovery from cybersecurity incidents;
•periodic testing of our cybersecurity posture, including by independent third-party consultants; and
•integrating cybersecurity requirements and other provision into various contracts.
The Company has continued to invest in cybersecurity to evolve and improve its program and regularly assesses and measures itself against industry practices to identify opportunities to enhance training and awareness among our people and improve processes and technology used to identify, prevent, detect, respond, and recover from cybersecurity incidents. When such improvements are identified and validated as appropriate in the Company's business context, they are incorporated in the roadmap for implementation.
To date, although the Company has been subject to cyber-attacks, the risks and impacts from cybersecurity threats have not materially affected the Company. We have significantly increased our cybersecurity investments over the last several years and have implemented cybersecurity safeguards designed to detect and prevent cybersecurity events that may have a material adverse effect on the Company. Notwithstanding our increased cybersecurity investments and preparedness activities, sophisticated and targeted computer crime perpetrated by threat actors internal or external to the Company poses a risk to the security of our systems, facilities, and networks and to the confidentiality, availability, and integrity of our data, including but not limited to intellectual property and confidential and personal data. This could result in a violation of applicable privacy and other laws, legal and financial exposure, negative impacts on our customers’ willingness to transact business with us, and a loss of confidence in our security measures, which could have an adverse effect on our results of operations and our reputation. Refer to the risk factor titled “We are subject to cybersecurity risks and may incur increasing costs in an effort to minimize those risks” in Item 1A of this Form 10-K for further detail regarding cybersecurity risks that could affect the Company’s operations. We maintain insurance covering certain costs that we may incur in connection with cybersecurity incidents, which we believe is commensurate with the size and the nature of our operations. However, the Company may incur expenses and losses related to a cyber incident that are not covered by insurance or are in excess of our insurance coverage.
The Company's Board of Directors (the “Board”) has overall responsibility for the oversight of risk management at L.B. Foster Company, which includes cybersecurity risks. The Audit Committee of the Board (the “Audit Committee”), is responsible for oversight of the Company’s Enterprise Risk Management (“ERM”) program which provides oversight and governance of all of the Company’s operational and financial risks, specifically including risks from cybersecurity threats to the Company. As described
16
below, the Audit Committee receives regular reports and periodic briefings from senior management on cybersecurity matters, including key risks to the Company, recent developments, and risk mitigation activities.
The Company has a Cyber Incident Response Team (“CIRT”) of trained information technology professionals who are responsible for assessing, identifying, and managing our material risks from cybersecurity threats on an ongoing basis, all of whom have extensive background, experience, and education in information technology and computer science and are subject to training on industry-leading security platforms and tools as well as continuing education to maximize capabilities with the tools and technology of the Company. This team is overseen by the Vice President of Information Technology, who facilitates the regular cybersecurity updates to the Audit Committee. The Company also has a Cyber Security Materiality Assessment Committee (“CMAC”) comprised of the Chief Financial Officer, General Counsel, and information technology and security representatives, which is responsible for assessment of material cybersecurity incidents and communicating such incidents to the Chief Executive Officer, Audit Committee, and the Board.
The CIRT maintains an internal execution and communication plan that is designed to measure the impact, assess initial materiality, record the incident, invoke the incident response plan, and communicate the occurrence of certain cybersecurity events or incidents to appropriate members of senior management (including the CMAC) within established procedural time frames. This communication hierarchy includes protocols for informing the Chief Executive Officer, Audit Committee, and the full Board of certain cybersecurity events or incidents and for determining the materiality thereof.
17