MANITOWOC CO INC - (MTW)
10-K Filing Date: February 23, 2024
The Company’s risk management program includes procedures, systems, and processes for assessing, identifying, and managing material risks from cybersecurity threats. Overall, we address cybersecurity risks through Board of Directors (the "Board") and management oversight and a system of controls and procedures designed to protect the confidentiality, integrity, and availability of the Company’s information assets. The Company employs a comprehensive system of monitoring, detection, internal reporting, and prompt escalation of certain cybersecurity incidents, plans for incident response and recovery, technical safeguards, third-party risk management, and mandatory training and awareness campaigns.
Governance and Management Oversight
The Board, in conjunction with the Audit Committee of the Board (“Audit Committee”), oversees the Company’s Enterprise Risk Management process, which includes cybersecurity risks. The Board and the Audit Committee receive regular presentations and discuss topics on cybersecurity risks with management, including the Director of Cybersecurity and the Senior Vice President Global Information Systems. The presentations and discussions address a range of topics, including recent cybersecurity developments, the threat environment, evolving standards and technology, vulnerability assessments and related remediation plans, education and training programs, and cybersecurity insurance. The Board also receives periodic training on recent developments and trends in cybersecurity from a third-party advisor. Based on the Company’s procedures, the Board and Audit Committee receive prompt and timely information regarding any cybersecurity threat or incident that meets established reporting thresholds, and regular updates until such threat or incident has been addressed.
The Director of Cybersecurity and the Senior Vice President Global Information Systems work closely with the CEO, CFO, General Counsel and other members of management to design, implement and maintain policies, procedures and practices to protect the Company’s information systems and promptly respond to any cybersecurity threats or incidents, consistent with the Company’s response and recovery plans. The Global Information Services team monitors the prevention, detection, and mitigation systems in real time and reports such threats and incidents to the Director of Cybersecurity, Senior Vice President Global Information Systems, the CEO, CFO, General Counsel, and other members of management, when appropriate. The
21
process provides for prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management in a timely manner.
The Global Information Services team has relevant educational and industry experience. The Director of Cybersecurity has served in various roles in information technology and security at Manitowoc for over 29 years, including the last five years overseeing cybersecurity. The Senior Vice President Global Information Systems has been with Manitowoc for over 23 years, leading the Global IS team since 2022.
Controls, Procedures and Technical Safeguards
The Company has enterprise security policies, controls and procedures designed to protect the confidentiality, integrity, and availability of our information assets. Among other areas, the comprehensive system addresses intrusion detection, encryption, device hardening, and monitoring through various controls, including phishing protection solutions, administrative password management tools, system patching, encryption, and intrusion prevention and detection systems.
The Company regularly engages in assessments, testing and subsequent remediation of our policies, procedures and practices that are designed to address cybersecurity threats and incidents. These efforts include a variety of third-party vendors and activities, including audits, assessments, penetration tests, threat modeling, tabletop exercises and vulnerability testing. We have also engaged a third party to perform an independent review of our information security environment. The results of such assessments, audits and reviews, along with remediation and development plans, are reported by management to the Board and Audit Committee.
The Company deploys technical safeguards designed to protect the Company’s information systems, including firewalls and systems for anti-malware, intrusion detection and prevention. The technical safeguards are regularly evaluated, tested, and improved through vulnerability assessments and updated cybersecurity intelligence. The Company also maintains incident response and recovery plans that address the Company's response to a cybersecurity incident and such plans are tested, evaluated and updated on a regular basis.
The company evaluates and oversees cybersecurity risks presented by third parties, including vendors, and service providers, and the systems of third parties that could impact our business. We seek vendor partners who are reliable, reputable and maintain cybersecurity programs. We also rely on contractual terms for indemnification and to ensure vendors and service providers employ industry best practices to protect confidential information.
The Company uses employee training and education as part of the comprehensive system designed to protect the Company’s information systems. Through mandatory training and ongoing awareness campaigns, including phishing simulations, we are educating our personnel about cybersecurity risks and providing them with the tools to identify, prevent and report potential cybersecurity threats.
Cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected or are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.
22