Enpro Inc. - (NPO)
10-K Filing Date: February 27, 2024
ITEM 1C.CYBERSECURITY
Risk Management Strategy
We recognize the critical importance of effectively managing cybersecurity risks to protect our businesses, intellectual property, employees, and customers. We manage cybersecurity risks as part of our broader enterprise risk management framework, which allows us to leverage existing, robust processes for assessing the effectiveness and coverage of our controls.
In recent years, we have invested significant time and resources to develop, implement, and maintain a robust set of cybersecurity measures, which all support our efforts to mitigate potential risks to the confidentiality, integrity, and availability of our data and critical business systems. Since the cybersecurity risk landscape is in a constant state of change, we employ a continuous, multi-layered approach to assess and measure the effectiveness of our cybersecurity defenses. Our approach includes using select third-party resources, including external cybersecurity consultants, auditors, and technologies, along with our internal staff, to benchmark, measure, and improve our cybersecurity risk management systems and processes, and ensure alignment with industry best practices.
Due to the increasing risk of third and fourth-party business relationships, we implemented a Third-Party Risk Management (“TPRM”) Program to evaluate and monitor our network of external partners, vendors, suppliers, and service providers. Capabilities of our TPRM program include continuous monitoring of third parties, secure vendor remote access, and security architecture to protect against cyber threats introduced through other business-to-business (“B2B”) system integrations.
In addition to above, we have implemented and maintained the following cybersecurity measures as part of our efforts to assess, identify, and manage material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents (as defined in Item 106(a) of Regulation S-K):
•Security Operations Program - a security operations program to bolster real-time cybersecurity incident detection and response capabilities;
•Security Control Framework - a security control framework that aligns with industry accepted best practices and prioritizes implementation of critical cybersecurity controls;
•Incident Response Plan - a cybersecurity Incident Response Plan, designed to effectively address cybersecurity incidents while promoting cross-functional coordination across the organization;
15
•Tabletop Exercises - periodic internal and vendor-led tabletop exercises to assess the effectiveness, relevance, and completeness of the Incident Response Plan;
•Assessments - annual cybersecurity assessments, which focus on identifying and remediating vulnerabilities that present the most significant organizational risks;
•Training - security awareness training for all salaried personnel that highlights critical organizational risks through quarterly phishing simulation campaigns, “lunch and learns”, monthly communication updates, and regular cybersecurity learning modules;
•Insurance - cybersecurity insurance policies and periodic reviews of our policies and coverage levels; and
•Monitoring Legal/Regulatory Developments – review of emerging data protection, data privacy, and other relevant cybersecurity laws and regulations to determine appropriate changes to cybersecurity controls and processes.
Please see Item 1A. Risk Factors in this Form 10-K for more information regarding cybersecurity-related risks that could materially affect our business strategy, results of operations, or financial condition, including under the heading “Our business may be adversely affected by information technology disruptions”.
Board and Management Oversight
Our Board of Directors has delegated to its Audit and Risk Management Committee (the “Audit Committee”), which consists of all of our non-management directors, the authority and responsibility to oversee our company’s compliance program, including our cybersecurity program. Accordingly, the Audit Committee oversees our approach to cybersecurity risk management and plays a critical role in the governance of our cybersecurity risk management program.
From a management perspective, our Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”) lead our cybersecurity efforts. Our CISO has extensive experience in cybersecurity, including creating and supporting cybersecurity programs for larger publicly-traded companies, obtaining cybersecurity certifications, participating in relevant cybersecurity leadership communities, and public speaking engagements on cybersecurity topics. He leads a cross functional cybersecurity team, which includes members of our legal department and internal audit function. As part of his job function, our CISO is charged to remain informed of the latest developments in cybersecurity, including the evolving threat landscape, as well as risk management improvement methods. This continual focus and understanding of the threat landscape, as well as risk treatment practices, is required to ensure that the CISO can effectively manage the Company’s efforts to prevent, detect, mitigate, and remediate cybersecurity incidents.
Our CISO implements a program and supporting processes to proactively assess systems for vulnerabilities, while taking a risk-based approach to prioritize remediation steps. Should a cybersecurity incident occur, the CISO would reference an incident response plan and supporting playbooks to support the incident response process. We regularly test our incident response process by leveraging a combination of internal resources and trusted third-party consultants to test our response readiness and the completeness of our incident response plan, including through the use of tabletop exercises.
Our CISO and CIO regularly advise the Audit Committee on cybersecurity risks and the company’s cybersecurity program, including quarterly updates and comprehensive briefings to the Audit Committee at least annually. During these briefings, our cybersecurity leaders advise the Audit Committee regarding (i) the current threat landscape and related risks; (ii) the Company’s security posture and compliance efforts; and (iii) current cybersecurity strategy and recommended next steps to address cybersecurity threats on a risk-adjusted basis.
Our CISO and CIO serve as members of our Compliance Committee, which is a management committee consisting of leaders from key functions, including legal, internal audit, finance and compliance. The Compliance Committee receives regular updates from the CISO and CIO on cybersecurity risks and threats.
The practice of our CISO and CIO is to communicate significant cybersecurity matters directly to senior management, including our Chief Executive Officer, Chief Financial Officer and General Counsel, which ensures that our executive management team remains continually informed of critical events impacting our business.
For cybersecurity matters deemed material to the Company, senior management will communicate such matters directly to the Audit Committee to enable members of the Audit Committee to offer comprehensive oversight and guidance on crucial cybersecurity matters.
16