PARK OHIO HOLDINGS CORP - (PKOH)
10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity
Management of cybersecurity risks is an integral part of our overall risk management framework. We have developed an information security program designed to assess, identify and manage material risks from cybersecurity threats, which is integrated into our overall risk management program and governance structure. The program includes policies and procedures that identify how security measures and controls drawn from relevant frameworks are developed, implemented and maintained. Our cybersecurity risk management program works to balance critical infrastructure, network, application, cloud and information security objectives with overall business objectives and risk tolerance. Specific controls that are used include endpoint threat detection and response, identity and access management, privileged access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, firewalls, and intrusion detection and prevention, and vulnerability and patch management.
We also use threat intelligence to inform our defensive measures. We use external and internal threat intelligence sources, including information from vendors and Information Sharing and Analysis Centers.
We have the following security processes in place:
•Cybersecurity Awareness Trainings: We educate employees on best practices for online safety and for identifying potential cybersecurity threats, including by initiating quarterly training programs for our non-represented salaried workforce.
•Simulated Cyberattacks: With assistance from third-party providers, we periodically conduct penetration and vulnerability testing to test our technical controls and incident response plans.
•Security Monitoring: We monitor our information technology environment with both our internal cybersecurity resources and third-party service providers. We also have processes in place to monitor the cybersecurity practices of various third-party service providers, including certain vendors that have access to our information systems or sensitive data.
•Proactive Reporting and Investigation: As part of our training initiatives, we educate certain employees depending on their role on how to report any suspicious cyber activity or potential cybersecurity issues, and we investigate reported concerns.
Third-party security firms are used in different capacities to provide or operate some of these programs, controls, and technology systems, including cloud-based platforms and services.
Our Board of Directors (“Board”) has overall oversight responsibility for our enterprise risk management framework and cybersecurity risk management. The Board is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Management, including the Vice President of Information Technology with support from our Information Technology Council, updates the Board on at least an annual basis regarding our cybersecurity programs and material cybersecurity risks and mitigation strategies. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our Vice President of Information Technologies receives reports from our Information Technology Council and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. Our information technology council includes experienced information systems security professionals and information security managers. Our Information Technology Council, which is composed of technology leaders from each of our business units, collaborates on a cross-functional basis to identify practices that can counter threats and to monitor our cybersecurity programs and our cybersecurity incident response plans.
In 2023 we did not identify any material cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For more information about these risks, please see Part I - Item 1A. “Risk Factors - We may experience breaches of, or disruptions to, our information technology systems or those of our third-party providers, or other compromises of our data, including the improper disclosure of personal or confidential data, which may adversely affect our operations and reputation.”
17