ALAMO GROUP INC - (ALG)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our cybersecurity program framework is based on the Center for Internet Security's ("CIS") Critical Security Controls. We have policies and procedures in place based on best practices and guidelines from the National Institute of Standards and Technology ("NIST"), an agency of the United States Department of Commerce, and the Cybersecurity & Infrastructure Security Agency, an agency of the United States Department of Homeland Security. Our Information Technology ("IT") team works to protect not only our information, but also the information of third parties we may hold or control, including by implementing physical, electronic, and procedural safeguards to protect the confidentiality, integrity, and availability of Company computer systems. We also limit physical access to server, storage, and network equipment to necessary staff.
We assess the security of our networks, websites, and systems with automated vulnerability detection services from a provider that is validated by the NIST, based on the Security Content Automation Protocol ("SCAP") standard. We perform an annual review of our efforts to manage risk with controls that align with and map to key compliance frameworks, such as NIST and the ISO 27000 series of regulations. We perform quarterly IT risk assessments that include cybersecurity risk assessments focused on action plans developed through annual reviews. We also respond to risks as they are discovered real-time. We are guided by an Information Security Incident Response Policy and corresponding Information Security Incident Response Procedure we implement when handling IT security incidents.
Our process of assessing, identifying, and managing material risks from cybersecurity threats is integrated into our overall enterprise risk management system. Our process of managing risks from cybersecurity threats includes monitoring information channels from trusted security information sources. We review third-party service providers that manage sensitive Company information prior to engaging any such provider. Our reviews align with relevant government compliance requirements and review of System and Organization Controls reports. We establish governance, processes, and tools for managing various third-party related risks, including information security. As a condition of working with the Company, third-party service providers who access sensitive business or customer information are expected to meet certain information security requirements. Our processes for assessing, classifying, and managing cybersecurity risks were created in collaboration with consultants and auditors. We maintain consulting relationships that provide guidance for responding to evolving cybersecurity risks. We require employees to undertake data protection, cybersecurity training, and compliance programs annually. Internal and external auditors also review our adherence to established IT and cybersecurity controls.
Despite our efforts, cyber attacks, unauthorized access or security breaches, or other cyber incidents such as computer viruses, malicious or destructive code, ransomware, social engineering attacks, hacking, denial-of-service attacks, and other similar attacks could materially affect us and disrupt our business. To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are likely to, materially affect us, our business strategy, results of operation or financial condition. Potential consequences of a successful cyber attack or cybersecurity breaches or incidents could, however, include remediation costs, disruption of manufacturing capabilities, legal costs, increased cybersecurity protection costs, lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack, litigation and legal risks including governmental or regulatory enforcement actions, increased insurance premiums, reputational damage that adversely affects customer or investor confidence, and damage to the Company's competitiveness, stock price, and long-term shareholder value. For more information about the cybersecurity risks we face, see the risk factor titled “We are significantly dependent on information technology and our business may suffer from disruptions associated with information technology, cyber-attacks or other catastrophic losses affecting our IT infrastructure” in Item 1A. Risk Factors.
Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated responsibility for the periodic review and evaluation of the Company’s policies and programs for identifying cybersecurity risks to the Audit Committee. In addition, the entire Board receives quarterly updates on the Company's cybersecurity action plans and annual reports containing full cybersecurity control assessments and action plans from senior management, and periodically reviews information regarding the Company's cybersecurity risks. We have an Information Technology Steering Committee ("ITSC"), comprised of the Company President and Chief Executive Officer, the Executive Vice Presidents of our Vegetation Management and Industrial Equipment Divisions, the Chief
26
Financial Officer, and the Chief Sustainability Officer, that determines the priority of cybersecurity initiatives. The ITSC also reviews the Board's and Audit Committee’s feedback and incorporates it into ongoing cybersecurity management efforts.
Our IT team, led by the Vice President of IT and the Director of Network and Information Systems, is responsible for day-to-day assessment and management of cybersecurity risks. Members of our IT team have undergraduate and graduate degrees in relevant fields, including information systems, information assurance, and information technology with a concentration in cybersecurity. Members of our IT team have also obtained relevant certifications, including the Director of Network and Information Systems being a Certified Information Systems Security Professional.
27