Titan Machinery Inc. - (TITN)
10-K Filing Date: April 03, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have implemented a cybersecurity governance program intended to assess, identify, and manage risks from threats to the security of our information, systems, and network. Our risk-based measures aim to proactively manage threats and prove the effectiveness of our internal controls.
Our cybersecurity governance program adopted the Center for Internet Security Critical Security Framework as the structure to help detect and mitigate threats through risk-based controls designed to protect Titan Machinery’s information, systems, and network.
We continuously review and seek to enhance our program as risks evolve and compliance requirements change. We use our internal security team and engage third-party cybersecurity companies. Together we conduct periodical assessments and ongoing enhancements to our cybersecurity posture and identify and remediate risks from cyber threats. The assessment includes reviewing third-party service providers periodically and before new engagements.
Security awareness training is provided to educate employees about cybersecurity threats and help them understand their responsibility in identifying, mitigating, and reporting security concerns or threats.
Along with other significant risks for the Company, we have sought to integrate cybersecurity into our enterprise risk management framework, by tracking key risk indicators, emerging risks and changes to the risk mitigation plan to achieve desired results.
Cybersecurity Governance
The Board is aware of the critical nature of managing risks associated with cybersecurity threats. The Audit Committee is responsible for board-level oversight of cybersecurity risk. The Audit Committee reports back to the full Board about cybersecurity and other areas within their responsibility.
23
Our cybersecurity governance program is led by our Vice President of Information Technology (“VP of IT”). The VP of IT is informed about and monitors the prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals on the security team. Our VP of IT has been assessing and managing cybersecurity risk for the company since 2015. In total, our VP of IT has over 20 years of IT industry experience in various roles.
Team members who support our cybersecurity governance program have relevant education and industry experience. The team provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings.
Our VP of IT semi-annually and on an ad-hoc basis presents directly to the Audit Committee on cybersecurity initiatives, efforts, and security risks. The Audit Committee reports to the Board at minimum semi-annually the cybersecurity initiatives, efforts and security risks. In addition, we have an Incident Response Policy in place to inform senior management and the Board of material issues related to cybersecurity matters and to develop an appropriate response plan.
While we have experienced cybersecurity incidents in the past, to date, none have materially impacted the Company or our financial position, results of operations and/or cash flows. However, the risks from cybersecurity threats and incidents continue to increase, and the preventative actions we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against all such threats and incidents. We continue to invest in cybersecurity and the resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Item 1A, Risk Factors, under the heading “Security breaches and other disruptions could compromise our information systems and expose us to liability, which would cause our business and reputation to suffer.”
24