ATI INC - (ATI)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
The Company and its Board recognize the critical significance that cybersecurity has to our operations and the need to continually assess cybersecurity risk and evolve our response in the face of a rapidly and ever-changing environment. We face a range of increasing and evolving cybersecurity threats common to industrial operations and other enterprises, which continue to grow in frequency and scope. See Item 1A, Risk Factors, “Cybersecurity Threats.”
The programs and procedures we have implemented to mitigate our exposure to these threats focus on preventing cybersecurity incidents, preserving the confidentiality, security and availability of the information that we generate or collect and store, and effectively responding to cybersecurity incidents if they occur.
Our Comprehensive Program
We take a comprehensive, standards-driven approach to our cybersecurity through an enterprise-wide cybersecurity program aligned with the National Institute on Standards and Technology’s Cybersecurity Framework. Our program includes an extensive set of systems, network and application-level controls that protect our corporate data and systems. Our Chief Digital and Information Officer (“CDIO”) and our Chief Information Security Officer (“CISO”), each of whom have extensive cybersecurity training and expertise and more than 20 years and 14 years of information technology and cybersecurity
16


experience, respectively, hold primary responsibility within management for assessing, monitoring and managing our cybersecurity risks and program. They are supported by a dedicated, enterprise-wide cybersecurity team that, with the assistance of third-party providers, monitors our program and controls, as well as available cybersecurity intelligence, on a continuous basis to ensure that, as an organization, we are informed of emerging risks, identify specific threats and potential incidents, and promptly escalate the evaluation and management of identified incidents as appropriate. Components of our comprehensive program include, among others:
Technical Safeguards. We deploy technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated through vulnerability assessments and cybersecurity threat intelligence.
Third-Party Risk Management. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties.
Program Assessments. We engage in regular assessments and testing of our policies and procedures, including efforts such as audits and similar assessments, tabletop exercises, threat modeling, vulnerability testing and other procedures focused on evaluating program effectiveness. Additionally, we periodically engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness.
Education and Awareness. We conduct a regular program of enterprise-wide communication and training regarding cybersecurity threats and the policies and procedures we have implemented in response. These programs are designed to elevate threat awareness within the Company and equip our employees with the knowledge and access to resources that they need to appropriately respond to and address the cybersecurity risks that we face.
Incident Response and Recovery. We maintain extensive incident response and recovery plans and procedures that provide a documented framework for handling high severity security incidents. These plans ensure the appropriate escalation, evaluation, management and reporting of cybersecurity incidents in a prompt and appropriately cross-functional manner, facilitating coordination across multiple parts of the Company, and are the subject of regular table- top breach simulations and other exercises and evaluations.
Insurance Coverage. We maintain a cybersecurity risk insurance policy to protect the Company against computer-related incidents and losses.
We have not experienced any operational or financial impact as a result of any cybersecurity incident or the cybersecurity risk that we face, and at this time, while the threat of a cybersecurity incident is always present, we view our comprehensive mitigation strategies and procedures as appropriately calibrated safeguards against any material impact to our results of operation and financial condition as a result of a cybersecurity incident and believe that we are prepared to appropriately mitigate and respond to such an incident, should it occur.
Governance
Our Board is actively engaged in the oversight of our digital technology risk management and cybersecurity programs. As part of its program of regular oversight, the Audit and Risk Committee oversees ATI’s digital technology and cybersecurity risk. The regular review and assessment of the Company’s cybersecurity program and related policies, standards, processes and practices is a fully integrated component of the Company’s overall enterprise risk management program, and at least quarterly as a key component of each regularly scheduled meeting, the Committee receives regular reports from our CDIO on the Company’s cybersecurity risk profile, the functioning of its cybersecurity program, including with reference to key performance indicators and other specific, quantitative measures, and other digital technology risks.