ALBANY INTERNATIONAL CORP /DE/ - (AIN)
10-K Filing Date: February 26, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
Albany International Corp. views cybersecurity risk management as a cornerstone of our Enterprise Risk Management ("ERM") strategy, and we are committed to protecting our digital assets and sustaining investor confidence. Cybersecurity risks we face include data breaches, operational disruptions, reputational harm, and regulatory fines. Such incidents could lead to shutdowns or disruptions of or damage to our systems and those of our customers and suppliers, and unauthorized disclosure of sensitive or confidential information, potentially including personal data and proprietary business information. Unauthorized disclosure of, denial of access to, or other incidents involving sensitive or confidential Company, employee, customer or supplier data, whether through systems failure, employee negligence, fraud, misappropriation, or cybersecurity, ransomware or malware attacks, or other intentional or unintentional acts, could damage our reputation and our competitive positioning in the marketplace, disrupt our or our customer’s business, cause us to lose customers and result in significant financial exposure and legal liability.
These risks are identified, assessed and managed within the broader context of our ERM strategy, ensuring a comprehensive approach to organizational risk. We incorporate cybersecurity risk assessments into our overall enterprise risk assessment process. This integration ensures that cyber risks are evaluated and managed alongside other operational, financial, and strategic risks, offering a holistic view of our risk landscape. Our ERM strategy is overseen by an Enterprise Risk Management Committee, which is made up of representatives from our finance, legal, accounting, internal audit and global information systems functions, our business leaders and members of the Senior Leadership Team. It is led by our Chief Financial Officer and its actions are reported to our Board of Directors on a quarterly basis.
27
Our Chief Information Officer and Director of Information Security, along with members of their respective teams, are responsible for identifying and managing cybersecurity risk. The Senior Leadership Team, the Board of Directors and the Board’s Audit Committee receive regular updates and engage in regular strategic discussions relating to cybersecurity risk management as part of their overall oversight of risk management.
Our cybersecurity framework leverages internationally recognized standards, including the CIS 20 and the NIST SP 800-171 frameworks, and is required to comply with the Department of Defense CMMC. We have policies and procedures in place designed to maintain compliance with relevant cybersecurity and data privacy laws and regulations in the jurisdictions in which we operate, such as the European Union GDPR and the California Consumer Privacy Act.
Our cybersecurity strategy includes policies, procedures, and technology that proactively safeguard our operations against cybersecurity threats. Internal teams and external experts regularly conduct risk assessments and audits to identify cybersecurity threats, ensure regulatory compliance, and adhere to control process best practices. Continuous monitoring of our networks and systems for threats and vulnerabilities is a key component of our strategy, supported by the analysis of threat intelligence from external sources. This multi-layered approach enables early detection and facilitates prompt response to potential cybersecurity threats. We regularly review and update our cybersecurity strategies, policies and procedures, taking into consideration the latest advancements in cybersecurity practices and changes to the threat landscape.
We have a cybersecurity incident response and crisis management plan in place, which incorporates regular training and simulation exercises, including with senior management, to ensure readiness and efficacy in responding to cybersecurity incidents. Our incident response and crisis management plan coordinates the activities we will take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate reputational damage.
In addition, we provide regular security awareness education and training for all employees and consultants, conduct internal “phishing” testing and training for “clickers,” require mandatory security training for all new hires and publish periodic cybersecurity newsletters to highlight any emerging or urgent security threats. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident.
We engage qualified third-party cybersecurity experts for in-depth cyber risk assessments, penetration tests, and compliance audits, which provide impartial perspective and insight into our cybersecurity posture and we engage consultants for the development and refinement of our cybersecurity strategy and maturity, drawing upon industry best practices and regulatory knowledge. These collaborations also include the refinement of our incident response and crisis management plan and employee training, emphasizing the transfer of knowledge for sustainable in-house capabilities.
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. We set clear objectives for third-party service providers, and we assess cybersecurity practices and any history of security incidents before engaging any potential service providers. Our contracts explicitly include requirements relating to cybersecurity, including adherence to certain standards, to ensure compliance with our security protocols. Once engaged, we regularly monitor the cybersecurity posture of these providers through surveys and reports, audits, and performance reviews.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. Based on our review of past cybersecurity incidents, we believe that all such incidents were addressed promptly and effectively. In the last fiscal three years, we have not experienced any material information cybersecurity incidents and the expenses we have incurred from any cybersecurity incidents were immaterial. See Item 1A, “Risk Factors” of this Annual Report on Form 10-K for more information on our cybersecurity-related risks.
Governance
Board of Directors
The Board of Directors oversees our risk management processes, including with respect to cybersecurity risk, and the Board considers cybersecurity risk management an enterprise priority. The Board has delegated primary
28
responsibility for reviewing and discussing with management our strategies, initiatives and policies relating to cybersecurity to the Audit Committee, which regularly reports to the full Board regarding such review and discussions. In addition, in connection with its oversight of cybersecurity risks in relation to financial reporting and internal controls, the Audit Committee plays a crucial role in the Board’s understanding and management of the financial and operational impacts of cybersecurity risks.
As part of their oversight of cybersecurity risk, the Board and Audit Committee regularly review detailed cybersecurity reports, which include analyses of the threat landscape, recent incidents, and the efficacy of our cybersecurity strategy. In addition, the Chief Information Officer provides bi-annual updates to the Audit Committee and annual briefings to the full Board on our cybersecurity posture, strategy, and risk management. These reviews and updates are complemented by ongoing cybersecurity training for board members to enhance their decision-making and oversight effectiveness.
Regular active engagement in strategic discussions by the Board and Audit Committee ensures that cybersecurity considerations are effectively integrated into our overall business strategy and align with Company objectives and demonstrates the Board’s commitment to proactive cybersecurity oversight.
Management
Although the Board oversees our overall risk management, day-to-day management of cybersecurity risk is the responsibility of management. Management’s critical role involves assessing and managing these risks through regular evaluations, deploying advanced security measures, and developing policies. Management integrates these strategies across all our operations, fostering a culture of cybersecurity awareness within the Company. This proactive stance is essential to safeguarding digital assets and ensuring operational resilience against evolving cyber threats.
Quarterly, the Chief Information Officer presents detailed cybersecurity reports to the Enterprise Risk Committee, focusing on strategic initiatives and evolving threats. The Enterprise Risk Committee, meeting quarterly, evaluates cybersecurity within the broader organizational risk context, ensuring consistent assessment and management.
The Chief Financial Officer chairs quarterly Enterprise Risk Management Committee meetings to review and evaluate various risk factors, including cybersecurity. The Chief Financial Officer's expertise in financial risk management, strategic planning, and organizational leadership is instrumental in guiding the committee's discussions and decisions. The Chief Financial Officer ensures that appropriate financial and operational implications of cybersecurity risk are considered and integrated into our Enterprise Risk Management Strategy.
The Chief Information Officer oversees our broader IT strategy, including cybersecurity, and presents quarterly to the Enterprise Risk Management Committee, bi-annually to the Audit Committee, and annually to the Board. The Chief Information Officer's expertise in information technology, cybersecurity, and strategic planning, forged over 24 years, 20 of which has been spent in leadership at global publicly traded companies, is integral to our approach to cybersecurity risk management. This expertise is crucial in aligning our cybersecurity initiatives with business objectives, ensuring that our strategies effectively support the Company's overall goals.
The Director of Information Security, reporting to and collaborating with the Vice President of Information Technology & the Chief Information Officer, manages our Enterprise Cybersecurity team. Day-to-day responsibilities include the implementation of cybersecurity strategies, cybersecurity risk management, and enhancing defenses against evolving threats. Our Director of Information Security has over 30 years of IT experience, 10 of which have been spent leading the Company’s cybersecurity efforts. The Information Security Director plays a key role in shaping our cybersecurity strategy, ensuring alignment with industry standards and integration into our broader IT strategy.
Regular reporting channels between the Director of Information Security, the Chief Information Officer, and the Chief Financial Officer facilitate a cohesive, well-informed approach to managing cybersecurity risks. These reports include detailed analyses of potential threats, incident response readiness, and the effectiveness of existing cybersecurity measures.