PGT Innovations, Inc. - (PGTI)
10-K Filing Date: February 23, 2024
Cyber criminals and malicious nation-state governments sponsored cyberthreat activity is becoming more sophisticated and effective every day, which we recognize includes increased targeting of the manufacturing sector and companies. All companies that utilize technology are subject to cyberthreat of breaches of their cybersecurity programs. To mitigate the threats to our Company, we take a comprehensive approach to cybersecurity risk management and technology infrastructure protections as a top priority.
- 23 -
Our board of directors (the “Board”) in conjunction with the Audit Committee and members of management are actively involved in the oversight of our risk management program, of which cybersecurity represents a vital component. As described in more detail below, we have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats, including but not limited to, our ability to sufficiently defend against all types of sophisticated tactics, techniques, and procedures (“TTPs”) used by malicious nation-state governments sponsored cyberthreat activity
We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective.
Having been a target of cyber criminals in November 2022, we are keenly aware of the risks and consequences that a cybersecurity incident unleashes on the technology function within a company. While this previous cyber-attack did not materially affect us and, in our belief, is not reasonably likely to materially affect us, future cybersecurity incidents and threats may materially affect us, including by affecting our business strategy, results of operations, or financial condition. See Item 1A., “Risk Factors” for additional details regarding cybersecurity risks.
Risk Management and Strategy
Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the U.S. Center for Internet Security (“CIS”) and other applicable industry standards. Our defense-in-depth cybersecurity program is designed to focus on the following key areas:
Collaboration
Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity, and availability (“CIA”) of Company and customer information, identifying, preventing, and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain cybersecurity incident controls and procedures that are designed to ensure prompt escalation of incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.
Risk Assessment
Annually, we conduct a cybersecurity risk assessment with quarterly updates to the Audit Committee of the Board that considers information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., cybersecurity alerts and advisories from the U.S. Cybersecurity & Infrastructure Security Agency, relevant technology vendors, related companies, industry trends, and evaluations by third parties and consultants). The results of these assessments are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management.
Technical Safeguards
We regularly assess and deploy technical cyber-safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, third-party cybersecurity threat assessments and incident response experience.
Incident Response and Recovery Planning
We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate them for effectiveness of those plans. Our incident response and business recovery plans address — and guide our employees, management, Audit Committee, and the Board on — our response to a cybersecurity incident.
Third-Party Risk Management
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use various inputs in such random risk assessments, including information supplied by providers and third parties.
- 24 -
In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.
Education and Awareness
Our policies require each of our employees to contribute to our cyber and data security efforts. We regularly remind employees of the importance of handling and protecting data, including through annual privacy and security training to enhance employee awareness on how to detect and respond to cybersecurity threats.
External Assessments
Our cybersecurity policies, standards, processes, and practices are regularly assessed by external consultants and auditors. These assessments include various activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, in 2022 and 2023, we conducted an independent cyber security maturity assessment and external penetration test to assess our controls against the NIST Cybersecurity Framework. The results of significant assessments are reported to management, the Audit Committee and Board. Cybersecurity processes are adjusted based on the information provided from these assessments. We have also completed cybersecurity attestations that demonstrate our dedication to protecting the data entrusted to us.
Governance
Board Oversight
Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive at least quarterly reports, or more frequently if deemed necessary, from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee directly oversees our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents.
Management’s Role
Our Senior Vice President (“SVP”) of Production Innovations & Technology, Vice President (“VP”) of Information Technology, Director of Information Security & Infrastructure, and General Counsel have primary responsibility for assessing and managing material cybersecurity risks and are members of management’s Security Steering Committee (the “Security Committee”), which is a governing body that drives alignment on security decisions across the Company. The Security Committee meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
Our SVP has served in various roles in both engineering, operations, and information technology for over 20 years. He holds an undergraduate degree in mechanical engineering and a master’s in business administration. Our VP of Information Technology has served in various roles in information technology and information security for 20 years. He holds an undergraduate degree in both industrial technology and distribution. Our Director of Information Security & Infrastructure has served in similar roles within information technology for over 25 years including risks arising from cybersecurity threats at several large publicly traded companies. He holds an undergraduate degree in criminal justice. Our General Counsel has over 20 years of experience managing risks, including risks arising from cybersecurity incidents and threats, at several large publicly traded companies.
- 25 -