TEJON RANCH CO - (TRC)
10-K Filing Date: March 06, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.
The identification and assessment of cybersecurity risk are integrated into our overall risk management systems and processes, which are managed by senior management and overseen by the Board of Directors. Cybersecurity risks related to our business, privacy and compliance issues are identified and addressed through a multi-faceted approach that includes third party assessments, internal information technology (IT) audit, IT security, governance, risk and compliance reviews. In connection with the aforementioned approaches, and to defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security, and implement appropriate changes.
We have implemented incident response and breach management processes, which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our IT and accounting teams.
Cybersecurity incident events are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality, as well as operational and business impact, and reviewed for privacy impact.
We also conduct tabletop exercises that simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies.
As part of the above processes, we regularly engage external auditors and consultants with expertise in cybersecurity to assess our internal cybersecurity programs and compliance with applicable practices and standards.
Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties, such as vendors, suppliers, and other business partners associated with our use of third-party service providers. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Information technology failures and data security breaches could harm our business,” which discussion is included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. The Board of Directors’ Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from senior management regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
Our management, represented by our Director of IT, Marcus O. Pegues, and our Senior Vice President of Finance and Chief Accounting Officer, Robert D. Velasquez, leads our cybersecurity risk assessment and management processes and oversees their implementation and maintenance. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.
Marcus O. Pegues is an experienced information technology professional in our information technology department and has served as Director of IT since 2021. He works with the Company’s internal information technology department and external partners to monitor and improve our cybersecurity capabilities. Mr. Pegues possesses a proven track record of guiding our
35
organization through strategic technology, risk mitigation, process improvement initiatives, and digital transformations. He also possesses extensive experience in technology and cybersecurity, gained over his career spanning more than 15 years. He earned his Master of Science in Information Technology with Specialization in Project Management from Colorado Technical University and his Bachelor of Science in Business Management with Specialization in Information Technology from Colorado Technical University.
Robert D. Velasquez, CPA, is an experienced risk management professional in our finance and risk management function and has served as Senior Vice President, Finance and Chief Accounting Officer since March 2022. Mr. Velasquez currently oversees key functions for the Company’s accounting, finance, and treasury strategies, including risk management. In addition, Mr. Velasquez leads the Company’s cybersecurity risk oversight and the development and enhancement of internal controls designed to prevent, detect, address, and mitigate the risk of cyber incidents.