ASTEC INDUSTRIES INC - (ASTE)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We have developed and implemented a comprehensive cybersecurity strategy and risk management program that is informed by the following key elements:

Periodic cybersecurity program maturity assessments to evaluate the overall controls, processes, skills and platforms leveraged to assess, identify and manage material risks from cybersecurity threats.
Periodic Business Impact Assessments ("BIAs") of key business processes and services that enable us to identify sensitive and critical aspects of the business, the impact of operational disruptions to those processes and services and the sensitivity of the data leveraged in those processes and services.
An external assessment of the cybersecurity risks associated with our operations.

We utilize internal information technology resources for the primary aspects of our cybersecurity program. Our internal team is supported by external service providers and consultants as needed.

To minimize the risk to our core systems, we utilize well established enterprise-grade cloud service providers for our management and operational functions. We review Service Organization Control Type 2 audit report results from each of these service providers to ensure that their programs meet our requirements.

To reduce the risk that we are materially impacted by a cybersecurity incident, we employ a multi-layered defense approach to cybersecurity leveraging people, controls, tools and automated/monitored platforms to support the detection and response to cybersecurity incidents. We also have a cybersecurity incident response plan that outlines the steps we will take to respond to a cybersecurity incident, which is tested on a periodic basis.

Finally, we conduct cybersecurity training and awareness programs for relevant employees and periodically conduct tabletop exercises leveraging actual scenarios to validate and improve our cybersecurity incident response plan and ensure that our management has a thorough understanding of and experience executing their roles and responsibilities if a cybersecurity incident were to occur.

Our cybersecurity strategy and risk management program is a component of our overarching enterprise risk management program and interfaces with other functional areas within the Company, including our business segments, legal, risk, human resources and internal audit departments.
While we have experienced cybersecurity incidents in the past, we do not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our business or financial condition. However, there can be no assurance that we will not suffer a significant event in the future that could materially affect our business, financial position, results of operations or cash flows. For more information on how cybersecurity risk may materially affect our business, financial positions, results of operations or cash flows, please refer to Part I, Item 1A. Risk Factors hereof.

Governance

Our Board of Directors has primary responsibility for evaluating cybersecurity risk management, overseeing our major cybersecurity risk exposures and the steps management has taken to monitor and control these exposures, including policies and procedures for assessing and managing risk, as well as oversight of compliance related to legal and regulatory exposure.

The management positions responsible for assessing and managing cybersecurity risks include our Director of Cybersecurity and our Chief Information Officer ("CIO"), who reports directly to our CFO. Our CIO is responsible for ensuring that we have a cybersecurity risk management program in place that is fully aligned with business requirements and strategy. Our CIO and Director of Cybersecurity have over 19 and 20 years, respectively, of cybersecurity oversight experience. Our CIO previously served as CIO for a New York Stock Exchange listed manufacturing company prior to joining the Company. Additionally, our Director of Cybersecurity has experience developing and implementing cybersecurity programs for multiple manufacturing firms.

19

As part of our defined cybersecurity policies and cybersecurity incident response plan, management is regularly updated on the status of the execution of our cybersecurity strategy and daily operations of the program. This includes regular reporting and evaluation of all cybersecurity incidents, not only those that may be deemed material.

Our CIO, supported by our Director of Cybersecurity provides quarterly reports to the Board, which, generally includes:

Our cybersecurity risk profile;
Any changes to our cybersecurity strategy;
Status of the execution of the cybersecurity strategy; and
Summary of any non-material cybersecurity incidents that have occurred over the past quarter, including the nature, impact and resolution of incidents.

In the event of a material cybersecurity incident, communication to the Board is provided pursuant to our cybersecurity incident response plan.