Andersons, Inc. - (ANDE)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
The Company is committed to ensuring the safe operation of its business by means of a dedicated cybersecurity program designed to protect the confidentiality, integrity, and availability of its assets from cybersecurity threats. The Company’s customers, suppliers, and joint venture partners also face cybersecurity threats, and a cybersecurity incident impacting the Company or any of these entities could materially impact our operations, performance, and results of operations. New and evolving cybersecurity threats and related risks make it imperative that the Company allocates the appropriate resources to mitigate these risks, adapts to the changing cybersecurity landscape, and responds to emerging threats in a timely and effective manner.
The underlying controls of the Company’s cybersecurity program are designed to be aligned with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) standards for cybersecurity and information technology. The controls in the Company’s cybersecurity program include but are not limited to, endpoint threat detection and response, privileged access management, logging and monitoring, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability, and patch management. Management regularly assesses the Company’s cybersecurity capabilities and has implemented policies, processes, and technology that it considers appropriate to reduce the likelihood or impact of a breach.
Third parties also play a role in the Company’s cybersecurity. The Company engages third-party contractors to assess cybersecurity controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These assessments include testing both the design and operational effectiveness of these cybersecurity controls. The Company engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in the Company’s information technology environment. Management also shares and receives threat intelligence with our peers, local public companies, and cybersecurity associations.
The Company’s Senior Manager of Information Security, reporting to the Vice President of Information Technology, is the leader of the Company’s cybersecurity team. The Senior Manager of Information Security is responsible for assessing and managing the Company’s cybersecurity program, informs the Vice President of Information Technology and other senior management as appropriate regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. Our Senior Manager of Information Security and Vice President of Information Technology have decades of collective experience in managing information technology and cybersecurity functions, both at the Company and in prior positions. Management also periodically evaluates the experience of the Company’s entire cybersecurity team to ensure adequate coverage across all eight key knowledge domains identified by the Certified Information Systems Security Professional certification.
The Andersons, Inc. | 2023 Form 10-K | 12
Employees outside of the cybersecurity team also have a role in our cybersecurity defenses and they are engaged in a culture supportive of security protocols, which management believes improves the Company’s cybersecurity. All employees are required to complete cybersecurity trainings annually and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. The internal business owners of hosted applications are required to document user access reviews at least annually and receive a System and Organization Controls ("SOC") 1 or SOC 2 report from the vendor. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, management will take additional steps to assess the vendor’s cybersecurity preparedness.
The Audit Committee of the Board of Directors oversees the Company’s cybersecurity program and the steps taken by management to monitor and mitigate cybersecurity risks. The Company’s Vice President of Information Technology regularly addresses the Audit Committee, typically on a quarterly basis, regarding our cybersecurity and data privacy progress to the NIST CSF standards along with briefing the Committee on any cybersecurity incidents that were determined to have a moderate or higher impact on the business, even if immaterial to the Company as a whole. In the event of an incident, management intends to follow the Company’s incident response plan, which outlines the steps to be followed from the detection of an incident to mitigation, recovery, and notification, including notifying functional areas, as well as senior leadership and the Audit Committee, as appropriate. Determination of when to notify senior leadership and the Audit Committee is made by the Vice President of Information Technology in consultation with other members of senior leadership as needed. Depending on the nature and severity of the incident, disclosure can be handled either through scheduled quarterly reporting to the Audit Committee or as an immediate disclosure to the Chair of the Audit Committee.
Assessing, identifying, and managing cybersecurity related risks are integrated into the Company-wide ERM process. On an annual basis, management assesses the top risks facing the enterprise through the Company’s ERM process. Cybersecurity related risks are included in this annual function and to the extent the ERM process assigns a heightened risk to cybersecurity, risk owners are named to address the severity, likelihood, and controls in place to mitigate these risks. Upon the conclusion of the ERM process, management’s assessment is then presented to the Board of Directors.
Notwithstanding the attention the Company pays to cybersecurity risks and the processes and controls implemented, the Company may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on its business, strategy, financial condition, results of operations, cash flows, and reputation. Cybersecurity risks rapidly evolve and are complex, so the Company must continually adapt and enhance processes and controls. As the Company does this, management must make judgments about where to invest resources to protect the Company and our assets most effectively. These are inherently challenging processes, and management can provide no assurance that the processes and controls implemented will be effective.
The Company has experienced, and expects to continue to experience, cyber incidents in the normal course of business. Cybersecurity threats, including as a result of previous incidents, to date, have not had, and as of the date hereof we do not believe are reasonably likely to have, a material adverse effect on the Company’s business, strategy, financial condition, results of operations, or cash flows. However, for the reasons described above, management cannot guarantee that the Company will not be materially affected in the future. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for further discussion of cybersecurity risks.
The Andersons, Inc. | 2023 Form 10-K | 13