AGCO CORP /DE - (AGCO)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We have an enterprise risk assessment process which specifically addresses risks associated with cybersecurity. Additionally, we have a crisis management plan that outlines the structure, roles, responsibilities and operating procedures to utilize during potentially significant events that could negatively impact the Company. As part of the crisis management plan, we have a cybersecurity incident response plan in place that provides a documented framework for handling high severity security incidents and includes facilitated coordination across multiple functions of the Company. Our incident response plan also includes identifying and responding to material risks from cybersecurity threats associated with our use of third-party service providers. We invest in threat intelligence and are active participants in industry and government forums to strive to improve our overall capabilities with respect to cybersecurity. We routinely perform reviews of threat intelligence and vulnerability management capabilities, while performing simulations and drills at both technical and management levels. We incorporate external expertise in all aspects of our program utilizing best practice guidance from third-party cybersecurity advisors to provide objective assessments of our capabilities. We maintain a cyber liability insurance program, although the coverage may not be sufficient in some circumstances. We also have policies and practices in place to address data privacy regulations. Our cybersecurity program is reviewed and assessed by external information security specialists or by our internal audit group at least annually. Further, we conduct annual cybersecurity awareness training for employees and targeted training for high-risk functions of the Company. We also conduct phishing exercises and correlated education with our employees.
As part of its risk oversight role, our Audit Committee of the Board of Directors oversees cyber risk, information security and technology risk, including management’s actions to identify, assess, mitigate and remediate material cybersecurity issues and risks. The Audit Committee receives regular reporting several times each year from our Chief Information Security Officer as well as our Chief Information Officer on our technology and cyber risk profile, enterprise cybersecurity program and key enterprise cybersecurity activities.
We have an information security team, led by our Chief Information Security Officer, that is responsible for assessing and managing cybersecurity risks and monitoring cybersecurity incidents. The team possesses relevant experience in their respective fields as well, as appropriate certifications from various leading certifying bodies. During 2022, we established a Cybersecurity Council comprised of members of our senior leadership team that is regularly briefed on cybersecurity matters and provides input to our overall approach to cybersecurity. Our formal cybersecurity program is modeled after the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, as well as other global standards and best practices.
On May 5, 2022, we discovered that we had been subject to a sophisticated ransomware cyberattack. The attack resulted in the temporary closure of most of our production sites and parts operations. A majority of the affected locations resumed operations within approximately two weeks after the attack was discovered. There was some data exfiltration as a result of the attack, and a portion of the exfiltrated data subsequently was released publicly. We do not have significant retail operations, and we do not believe that the exfiltrated data included privacy-protected consumer data or that the exfiltration was consequential. We have invested heavily in maturing our information technology and cybersecurity operations and continue to review and improve our safeguards to minimize our exposure to future attacks. We do not believe the cost of remediation to the impacted systems will be material. To date, the cost of those efforts has not been consequential.
22