BARNES GROUP INC - (B)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We maintain a data protection and cybersecurity risk management program based upon the National Institute of Standards and Technology ("NIST") Cybersecurity framework to assess, identify and manage cybersecurity risks. As part of this program, we maintain defensive network perimeter safeguards, internal mitigation and control features, continuous system and network monitoring, and contingency data protection. We also have a notification process for real-time escalation of material cyber incidents by members of our internal cybersecurity team to senior management, including our Chief Executive Officer, Chief Financial Officer, Chief Accounting Officer and/or General Counsel, and the Board of Directors, in each case as appropriate.
As part of our risk management program, we periodically conduct penetration testing through an independent third-party assessor, as well as internal user training and tabletop exercises. We also conduct self-assessments of our cybersecurity risk management program to evaluate effectiveness and alignment with NIST standards and industry best practices. In addition, we maintain processes governing interconnections with third-party systems and annually review critical vendors’ cybersecurity positions for potential risks. This process includes review of System and Organization Controls ("SOC") 1 and SOC 2 reports (as each such report is defined by the American Institute of Certified Public Accountants), and direct interaction with key vendors to assess and address risks.
We have not experienced a cybersecurity threat, including as a result of any previous cybersecurity incidents, that has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition.
Cybersecurity Governance
Our cybersecurity program is managed by a global internal team that addresses potential risks, implements processes to support our cybersecurity program and responds to potential cyber incidents. The team has decades of experience with varied certifications and includes our Director of Cybersecurity who has over 25 years’ experience as an IT professional engaged in network architecture and cybersecurity, and is led by our Vice President, IT, a CPA with 10 years’ experience leading IT, who reports to our Senior Vice President, Chief Financial Officer. The internal team is supported by third party providers to expand coverage, expertise and responsiveness.
Annual risk assessments are performed and incorporated as part of our overall enterprise risk management process, which is overseen by our Board of Directors. As part of this process, the Board of Directors, through the Audit Committee, oversees the data protection and cybersecurity program, which includes reviewing management’s risk assessments and the steps management has taken to monitor or mitigate our cybersecurity risk exposure. Management regularly provides data protection and cybersecurity reports to the Audit Committee and the Board of Directors, which include updates on cybersecurity initiatives, cybersecurity metrics and threat landscape. For more information about the cybersecurity risks we face, see "Risks Related to Information Technology, Cybersecurity and Data Privacy" in Part I - Item 1A - Risk Factors.
18