NORTHWEST PIPE CO - (NWPX)
10-K Filing Date: March 05, 2024
Cybersecurity
We believe that cybersecurity is a critical part of our overall risk management, which is supported by both our management and our Board of Directors. We believe that we face the same external threats common to other participants in the infrastructure sectors, which include ransomware and malware attacks in addition to the risks brought on by the vendor supply chain. Through the leadership of our Vice President of Information Technology, who reports to our Chief Financial Officer, we routinely assess these threats and evaluate our landscape for new vulnerabilities, considering both for their probability of occurrence as well as their perceived potential impact. We supplement our risk assessment processes with robust identification tools which we review routinely through the use of intrusion prevention and detection systems. We supplement our internal procedures with third parties, who routinely assess our network infrastructure for vulnerabilities both internal and external to our firewall. We also conduct periodic training and awareness programs for all of our employees with systems access in order to drive adoption and awareness of their critical roles in cybersecurity processes and controls.
The pace of change in approaches undertaken by cyber criminals requires an approach to security that strives for continuous improvement and constant monitoring of the landscape. While we are working to adopt the cybersecurity framework of the National Institute of Standards and Technology (NIST), we believe continued investment through parties external to our information technology team is the best means for extensively testing both the design and operational effectiveness of our cybersecurity controls, and ensuring their level of priority as compared to our other information technology objectives, namely system continuity and functionality.
Furthermore, through our incident response plan, we believe we have a well-designed plan to manage through any unforeseen breach including the eradication of the infiltrator from our networks. We carry cyber insurance to transfer the residual risk of an incident. We also work with our cyber insurance carrier to regularly refine our response procedures, which include the definition of internal and external communications channels to key stakeholders, as well as the identification of material breaches and the associated incident reporting up to senior management and our Board of Directors.
Our Board of Directors has charged the Audit Committee with the governance and oversight of this risk. Our governance philosophy is to discuss cybersecurity at least quarterly with our Audit Committee, as provided for within that committee’s charter, including regular reporting by our Vice President of Information Technology with respect to key accomplishments, planned activities, and monitoring results. Board experience in risk assessment has been enhanced with certification achievements specific to cybersecurity risk, providing us with the appropriate oversight to this evolving threat.
As of the date of this report, we are not aware of any material breaches to our networks or computer systems that have materially affected or are reasonably likely to materially affect us, including the execution of our business strategy, results of operations, or financial condition. We describe potential risks from cybersecurity threats under the heading “Our information technology systems can be negatively affected by cybersecurity threats,” in Part I — Item 1. “Risk Factors” of this 2023 Form 10‑K, which disclosures are incorporated herein by reference.