Glatfelter Corp - (GLT)
10-K Filing Date: February 28, 2024
ITEM 1C CYBERSECURITY
Cybersecurity Risk Management and Strategy
We operate in the engineered materials manufacturing sector, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including: intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws; and other litigation, legal and reputational risks. We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity program is aligned with industry standards and best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We conduct periodic risk assessments to identify the potential impact and likelihood of various cyber scenarios, including those involving third-party service providers, and to determine the appropriate mitigation strategies and controls. We use various tools and methodologies to manage cybersecurity risk, including implementation of a business continuity process that includes a comprehensive incident response plan and procedure that is tested on a regular cadence. We also monitor and evaluate our cybersecurity performance on an ongoing basis through regular vulnerability scans, threat intelligence feeds, and penetration tests by an independent third party. We require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. The incident response team, which includes senior IT subject matter experts and security analysts, determines the apparent severity of reported potential incidents, and operationalizes the appropriate incident response plan. In addition, we continue to provide training and awareness practices to mitigate human risk, including mandatory computer-based training, internal communications, and regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide feedback (and, if necessary, additional training or remedial action) to employees. We also maintain insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cyber incidents and information systems failures should they occur.
Our business depends on the availability, reliability, and security of our information systems, networks, data, and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could adversely affect our operations, administrative functions, customer service, product development, and competitive position. They might also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our vendor relationships, or loss of market share.
Cybersecurity Governance
The Company has increased its investment into combating cybersecurity risks which include increased Board Audit Committee oversight of IT’s security risk reporting, formation of the Cybersecurity Steering Committee to directly govern IT cybersecurity strategies and strengthening the IT security management team which deploys resources to address cybersecurity risks on a day-to-day basis. Our internal cross-functional Cybersecurity Committee meets quarterly to discuss any issues and regulatory updates. The Board’s Audit Committee exercises its oversight role and provides the Board with reports and findings from its annual cybersecurity meeting with management, including the Vice President of Global Information Technology and the Senior IT Director over Cybersecurity. Our Senior IT Director over Cybersecurity holds a Certified Information Systems Security Professional (CISSP) certification and has more than 25 years of experience in cybersecurity. Our Board also reviews our cybersecurity budget on an annual basis.