GENERAC HOLDINGS INC. - (GNRC)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

 

The Company’s management and Board recognize the importance of strong oversight of cybersecurity risk, information security and technology in maintaining the trust and confidence of our customers, partners, employees and stockholders. The Company maintains cybersecurity measures aligned with the National Institute of Standards and Technology Cybersecurity Framework (Framework) which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management (ERM) program and evaluated against such Framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services.

 

Our cybersecurity risk is actively managed through our Cybersecurity Steering Committee, which has established Company-wide policies and standards concerning cybersecurity matters. These policies directly or indirectly relate to cybersecurity and include antivirus protection, remote access, multifactor authentication, containment of confidential information and the use of the internet, email and wireless devices. The Company’s Chief Information Security Officer (CISO) is responsible for developing and implementing our information security program and regularly reports on cybersecurity matters to executive management and the Board of Directors. The CISO has over 25 years of experience supporting cybersecurity and information technology and is a board member of a local Cyber Threat Response Alliance organization. Led by our CISO, team members who support our information security program have relevant educational and industry experience.

 

The CISO and information technology security team conduct regular risk assessments to identify areas requiring additional investment and resources. These risk assessments extend to our supply chain, where cybersecurity health assessments are employed for our critical suppliers. The results are used to calculate a Cybersecurity Risk Score, a key component of our Supply Chain Scorecard used to proactively identify and manage potential risks. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, as appropriate. Risk assessments are also performed on new products and software and we periodically engage third-party services for penetration testing and security evaluations. We also periodically assess our technology infrastructure and business processes to identify and address potential security gaps and vulnerabilities. An ISO 27001 certification is maintained within our Energy Services business.

 

As chair of the Cybersecurity Steering Committee, the CISO holds regular meetings to provide strategic updates on the Company’s cybersecurity infrastructure and preparedness. These meetings, supplemented by regular updates to the Board of Directors, are instrumental in aligning with the Company’s strategic goals. Our Board of Directors is also provided with ongoing education including updates on relevant legislation and regularly receives reports on cybersecurity risks, threats, incidents and other trends. Several members of our Board's Audit Committee have expertise and experience in cybersecurity, and one director is the President of a major cybersecurity services provider.

 

In order to promote a culture of security awareness across our organization, all employees are required to complete an annual cybersecurity awareness training and are provided with periodic information updates on cybersecurity threats. We also maintain cyber insurance policies to help partially mitigate the financial impact of a significant cybersecurity incident.

 

Despite our best efforts, we cannot guarantee that our security measures will prevent all potential cybersecurity incidents or breaches. Our systems are continually subject to sophisticated and evolving cyber threats, such as phishing, ransomware, social engineering, and advanced persistent threats. However, to date, we have not been subject to any incidents or successful cyber-attacks that materially impacted our operations or financial condition. The Company has invested in developing and acquiring cybersecurity capabilities allowing us to monitor threats and manage incident response. We have also developed internal policies to mitigate cybersecurity incidents, including providing clear guidelines for incident classification and response. We recognize the importance of continued monitoring and improvement of our cybersecurity program, and will continue to invest in our security controls, incident response capabilities, and third-party vendor management protocols.

 

For additional information on the cybersecurity risks that we face, also see Item 1A. “Risk Factors”.