BROADWIND, INC. - (BWEN)

10-K Filing Date: March 05, 2024
ITEM 1C. CYBERSECURITY

 

Risk Management and Strategy

 

We rely on information systems to obtain, rapidly process, analyze, and manage data in order to effectively operate our business. We are committed to protecting our business information, intellectual property, customer, supplier and employee data and information systems from cybersecurity risks and maintain an active cybersecurity risk management program.

 

We maintain enterprise-wide information security policies, processes and standards that set the requirements around acceptable use of information systems and data, risk assessment and management, identity and access management, data security, security operations, security incident response and threat and vulnerability management. We work to align to the National Institute of Standards and Technology (NIST) 800-171 Cybersecurity Framework, as its program controls are designed to protect and maintain confidentiality, integrity, and continued availability of our data and information systems. Our team of information system professionals and third-party providers monitors our information systems for cybersecurity threats, breaches, intrusions and other weaknesses, responds to cybersecurity incidents, develops and implements plans to mitigate cybersecurity threats and facilitates training for our employees.

 

We also engage consultants and other third-party advisors to conduct independent assessments of our cybersecurity readiness and control effectiveness. In collaboration with our third-party providers, we seek to gain insights into emerging threats and vulnerabilities, industry trends, and leading practices to inform our cybersecurity response.

 

Governance

 

Management plays a critical role in assessing and managing material risks from cybersecurity threats. Our Director of Information Technology leads an internal team and works directly with our third-party information security professionals to manage our cybersecurity risk management program and activities. This includes monitoring our information systems for cybersecurity threats, reviewing cybersecurity incidents, analyzing emerging threats, and the development and implementation of risk mitigation strategies.

 

Our Director of Information Technology reports directly to our executive leadership team on cybersecurity matters, providing the leadership team with updates on enterprise risks, cybersecurity incidents, the status of ongoing initiatives, key metrics, and additional cybersecurity topics. Our information technology team, led by the Director of Information Technology, meets regularly to discuss the progress of ongoing program initiatives, cybersecurity priorities, identified risks and metrics.

 

The Board of Directors exercises direct oversight of strategic risks to the Company. The Board has delegated the responsibility for cybersecurity oversight to the Audit Committee. The Audit Committee’s responsibilities include reviewing and discussing with management the strategies, process and controls pertaining to the management of information technology operations, including cybersecurity risks and information security. The Director of Information Technology reports to the Audit Committee annually and more frequently, as needed, on cybersecurity matters, including the cybersecurity threat landscape, key metrics demonstrating the overall management of our cybersecurity risk and risk management program, related key initiatives, enterprise program framework alignment, annual risk mitigation strategy, and review of cybersecurity incidents. Our Board is committed to maintaining a well-informed and cybersecurity-aware posture, regularly engaging through regular and requested updates on our strategy and evolving threat landscape.

 

17