ARGAN INC - (AGX)

10-K Filing Date: April 11, 2024
ITEM 1C. CYBERSECURITY

Our approach to managing cybersecurity risk involves a comprehensive program established at each subsidiary. This strategy intends to pinpoint subsidiary-specific risks associated with both our digital and physical assets with the objective of employing effective measures that ensure the security of our infrastructure, systems, data, business partners, customers, and financial information against potential cyber incidents. Corporate management of the holding company oversees the cybersecurity risk program at each of the subsidiaries to ensure the collective cohesively responds to organization-wide risks.

Administered by security, information technology, and compliance professionals and managed by senior management at each of our subsidiaries, our cybersecurity program integrates into our broader enterprise risk management framework and aligns with recognized frameworks and industry standards, as applicable, and complies with various legal and regulatory requirements.

The audit committee of our board of directors oversees cybersecurity risk and ensures timely reporting and management of these threats.

Risk Management and Strategy

As our business objectives and operational needs change, our cybersecurity professionals continuously evaluate and refine the measures taken to address our identified risks. Our technical measures include firewalls, intrusion detection and prevention systems, anti-malware tools, and access and configuration controls, to shield our information systems from cybersecurity incidents.

Acknowledging the dynamic and complex landscape of cybersecurity threats, we engage with various external specialists to evaluate and strengthen our cybersecurity risk management practices. Such engagements differ across our subsidiaries, as they are tailored to the specific risk profile of each subsidiary, ensuring that each entity works with experts most suited to their specific cybersecurity needs. These engagements, which may encompass regular audits, threat assessments, vulnerability testing, and consultations on security enhancements, help us tap into specialized knowledge and stay aligned with industry best practices. Significant results of these assessments are reported to the audit committee and, when necessary, the board of directors, leading to adjustments in our cybersecurity approach based on their findings to ensure our defenses remain robust and effective.

Recognizing the importance of human factors in cybersecurity, we provide regular employee training that emphasizes common threats, such as phishing, social engineering, sensitive data exposure, and insider risks. In addition to regular training sessions, we perform phishing simulations, post security bulletins, and provide dedicated means for employees to report attempted threats.

To mitigate cybersecurity risks linked to our engagement with third-party service providers, we perform security screening and review for prospective vendors that require access to our information systems. Additionally, to further protect our operations and enhance our cybersecurity risk management process, we maintain cybersecurity risk insurance obtained from industry leading underwriters.

Our strategy for responding to cybersecurity incidents involves a well-defined plan at each subsidiary that prescribes dedicated cross-functional personnel to each response team, ensuring a coordinated and premeditated response. These plans, which undergo regular review, assert the ability of system recovery processes and provide response frameworks for escalating issues. The plans are designed to minimize the impact to our operations and stakeholders, initiate appropriate communications both within and outside of the organization, and identify recommendations for improvement.

Governance and Oversight

While our management team is tasked with the day-to-day handling of risks facing our organization, the audit committee, as delegated by the board of directors and documented in the committee’s charter, specifically oversees cybersecurity risk and governance. Management provides the audit committee regular updates covering information security issues, recent

- 24 -

organizational developments and IT initiatives, vulnerability assessments, third-party evaluations, and emerging best practices. The audit committee also engages with our internal audit firm and other external specialists about organizational risks related to cybersecurity, as well as the policies and controls designed to mitigate these risks. In January 2024, our board of directors participated in a cybersecurity training session provided by our internal audit firm. Our audit committee or the board of directors is actively involved in strategic cybersecurity decisions, providing guidance and concurrence for significant or pervasive projects. This ensures that cybersecurity is seamlessly integrated into our strategic planning, aligning with our broader organizational goals.

Additionally, we have established a cross-organizational IT steering committee, comprising senior and executive leadership, enterprise risk management representatives, and IT management, many of whom have over 15 years of experience and hold professional certifications in their respective fields. In an effort to build a comprehensive cybersecurity strategy across the organization, this committee convenes several times each year to discuss ongoing cybersecurity initiatives, emerging regulatory requirements and industry standards, and results of risk assessments.

Cybersecurity incidents are regularly reported to cross-functional teams at each subsidiary through the dedicated means we have in place, and events deemed critical are reported to the Chief Executive Officer and Chief Financial Officer. Moreover, the audit committee and the board of directors are promptly informed of any significant cybersecurity incident, along with continuous updates until resolution.

Cybersecurity Risks, Threats and Material Incidents

Despite our endeavors to safeguard the security and integrity of our networks, systems, and the sensitive information they contain or transmit, including the adoption of numerous cybersecurity policies and protocols aimed at mitigating the risk of cybersecurity breaches or disruptions as previously outlined, it is impossible to guarantee the complete effectiveness of these measures. There remains a possibility that efforts to thwart cybersecurity threats may not be entirely successful, potentially resulting in successful breaches or disruptions that could be harmful. Refer to “Our failure to protect our management information systems against security breaches could adversely affect our business and results of operations” in Item 1A. Risk Factors.

As previously disclosed, we were targeted by a complex criminal scheme in March 2023, which resulted in fraudulently-induced outbound wire transfers to a third-party account (see Note 18 to the accompanying consolidated financial statements). The Company self-discovered the fraudulent activity and promptly contacted the remitting bank, receiving bank, dispute resolution experts, and federal and local law enforcement authorities. Moreover, we quickly informed the audit committee and regularly provided them with updates during investigation and recovery efforts. As a result of the fraud loss, net with funds recovered, and professional fees incurred related to an independent forensic investigation and efforts to recover the funds, we recognized $2.7 million of loss. We are unaware of any other significant security breaches at any of our business locations.