TPI COMPOSITES, INC - (TPIC)
10-K Filing Date: February 22, 2024
Risk Management and Strategy
We have instituted policies and processes dedicated to assessing, identifying, and managing risks from cybersecurity threats. Cybersecurity risks are managed as part of our enterprise risk management program. We are committed to safeguarding our critical information assets and data and have implemented a defense-in-depth strategy that is informed by industry standard cybersecurity frameworks. We benchmark against these frameworks and our internal risk assessment process to inform how we identify, protect, detect, respond to, and recover from risks, threats, vulnerabilities, and cybersecurity incidents across our information assets.
We incorporate reputable third-party vendors and solutions into our cyber risk management strategies to fortify our cyber defense mechanisms. We collaborate with internal stakeholders across the Company to integrate cybersecurity principles into our operations, including deployment of multiple layers of cybersecurity defenses, restricted access based on business need, and integrity of our business information. We also train our employees during onboarding and annually thereafter on matters including cybersecurity awareness, confidential information protection, and phishing attacks.
29
We actively enhance our cybersecurity program through testing by third-party assessors and measure the results against industry standards. We also have standing engagements with incident response experts and external counsel to provide timely support to our incident response capabilities, and we regularly engage with external experts to analyze the threat landscape.
Our cybersecurity risk management is integrated into our business continuity program and enterprise risk management framework, which promotes proactive planning and preparedness to address potential threats. Members of our global information security team collaborate with subject matter experts within our organization to assess and refine our cybersecurity posture and incident response and preparedness, including evaluating and updating contingency plans, participating in tabletop exercises, threat hunting, red team engagements, and simulating real-world scenarios related to cyber incidents.
Although risks from cybersecurity threats have to date not materially affected us, and we do not believe they are reasonably likely to materially affect our Company, business strategy, results of operations or financial condition, we could, from time to time, experience threats and security incidents relating to our and our third party vendors’ information systems. For more information, please see the section entitled “Risk Factors” included in Part I, Item 1A of this Annual Report on Form 10-K.
Governance
Our board of directors is responsible for monitoring and assessing strategic risk exposure, and administers its cybersecurity risk oversight function through the Audit Committee. The Audit Committee receives quarterly updates on our enterprise risk management program, including information on cybersecurity risks and initiatives undertaken to identify, assess and mitigate such risks.
Our chief information security officer is the senior director responsible for the cybersecurity organization, which has primary oversight of material risks from cybersecurity threats. Our chief information security officer reports to our chief information officer. Our chief information officer is responsible for the overall Information Technology (IT) organization.
Our chief information officer and chief information security officer assess our cybersecurity readiness through internal assessment tools, as well as third-party assessments, audits, penetration tests, and evaluation against industry standards. We have governance and compliance structures that are designed to elevate issues relating to cybersecurity to our chief information officer and chief information security officer, as appropriate.
Our chief information officer meets with the Audit Committee each quarter to review our information technology systems and discuss key cybersecurity risks. In addition, at least annually, the chief financial officer reviews with the board of directors our global enterprise risk management program, which includes cybersecurity risks.
30