Alexander & Baldwin, Inc. - (ALEX)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity, and in particular cybersecurity risk management, is an important part of operations and a focus area for the Company. Cybersecurity risks are evaluated on an ongoing basis by the Company’s Technology department, both internally and with the assistance of external firms.
The Company engages a national security firm in an effort to improve its cybersecurity posture and keep current with evolving cybersecurity risks. The Company’s cybersecurity program is examined on a regular basis, and new procedures and tools are adopted on an ongoing basis to address the changing cybersecurity landscape. The Company’s technology team tests the effectiveness of its tools with periodic exercises, such as an extensive, simulated attack exercise.
The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, which it administers in part through its Audit Committee. One of the Audit Committee’s responsibilities involves reviewing the Company’s policies regarding risk assessment and risk management, including with respect to cybersecurity risks. Risk oversight plays a role in all major decisions of the Company’s Board of Directors, and the evaluation of risk is a key part of its decision-making process.
Cybersecurity risks are considered as part of the risk management process across all levels of the organization but are also facilitated through a formal process in which the Company identifies significant risks through regular discussions with management and also develops responses and mitigating actions to address such risks. In conjunction with the Company’s Internal Audit department, management compiles a report of significant, enterprise risks that is shared with the Company’s Board of Directors and its Audit Committee annually or as needed. In addition, cybersecurity and information security risks are among the matters presented by the Chief Technology Officer (“CTO”) for discussion with the Company’s Board of Directors annually and its Audit Committee quarterly or as needed. The CTO, who reports to the Chief Financial Officer, is responsible for leading the assessment and management of cybersecurity risks. The Company's current CTO has more than twenty years of experience managing technology initiatives in diverse industries, and he designed and led the approach for the modernization of the Company's technology platforms and security posture since 2017.
As many security threats involve social engineering, the Company has a multifaceted security training program for its employees. Mandatory cybersecurity training classes are administered semi-annually. Tests of employees’ ability to thwart attacks are run successively throughout the year, and remedial refresher courses are required when employees fail the tests. In addition, security awareness assessment is required as part of the annual employee review process.
The Company does not believe that any risks from cybersecurity threats to date, including as a result of any previous cybersecurity incidents of which the Company is aware, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial conditions. Refer to the risk factor captioned, “Security breaches through cyber attacks or intrusions, or other significant disruptions of the Company's information
19
technology ("IT") networks, communications, and related systems could impair our ability to operate, adversely affect our financial condition, and damage our reputation,” in Part I, Item IA. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
20