BALCHEM CORP - (BCPC)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Cybersecurity is a critical part of our enterprise risk management. The Board, through its Audit Committee, oversees enterprise risk management, including cybersecurity. To more effectively address cybersecurity threats, we have numerous security layers within our least privilege network approach which is managed by our Information Technology Department. Our cybersecurity programs align with numerous standards and continues to grow and develop as new technologies emerge. Further, we have regular user awareness testing and trainings in place which helps keep all end users and executive leadership up-to-date on the most current threats. The global head of Information Security, possessing credentials in both information technology (“IT”) and cybersecurity, provides regular updates to senior management. Additionally, they provide at least an annual update, or more frequently if necessary, to both the Audit Committee and the full Board regarding the current threat landscape at Balchem, cybersecurity technologies, mitigation strategies, industry trends and best practices that we follow, major cybersecurity incidents (if any), and other areas of importance. The global head of Information Security has responsibility over cybersecurity management globally and reports directly to the Chief Financial Officer. Additional activities to maintain and enhance information security are discussed below.
Reliable, Scalable Systems and Infrastructure
Our information security systems, infrastructure, and processes are built on and follow the U.S. National Institute of Standards and Technology ("NIST") framework for information security, which is a set of guidelines, accepted standards, and best practices for mitigating organization cybersecurity risks published by NIST. We continue to make significant investments in industry-leading and advanced technologies as part of our strategy to strengthen our security posture, business continuity capabilities, and ability to protect and safeguard systems and stakeholder data. Our Information Security Program and systems are tested and assessed annually by an independent third party.
Automation and Artificial Intelligence
We have implemented automated systems to proactively test attack vectors by emulating inside and outside threats resulting in the validation of our ability to detect and defend against a cyber attack. Artificial intelligence is used as part of early warning systems designed to detect, alert, and respond to potential cyber threats.
Training
Recognizing that information security, stakeholder data, and privacy principles involve more than just systems and infrastructure, we provide semi-annual cybersecurity education and training to all users with access to IT systems, devices, or applications. Internal social engineering phishing campaigns are conducted regularly with the goal of building a culture of cybersecurity, as well as raising awareness and reinforcing best practices across the organization.
Third parties also play a role in our cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls.
We apply a risk-based approach to mitigate cybersecurity risks associated with our use of third-party service providers and cybersecurity considerations affect the selection and oversight of these third-party service providers. We perform due diligence on third parties that have access to our most critical systems, data or facilities that house such systems or data.
While we have experienced cybersecurity threats in the past in the normal course of business and expect to continue to experience such threats from time to time, to date, none have had a material adverse effect on our business, financial condition, results of operations or cash flows. Even with the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. “Risk Factors - Operational Risks - Disruptions or breaches of our information systems could adversely affect us” for a discussion of cybersecurity risks.
In the event of a possible cybersecurity incident, we would immediately implement our crisis management plan, which includes the following steps:
(1) Internal reporting and review of the incident or development
(2) Gathering and assessing information
(3) Developing and implementing a communications strategy
(4) Monitoring and evaluating a response
15

(5) Debrief and recovery
As part of the gathering and assessment of information in step 2, we will consider various factors to make a materiality determination of the incident, including business impact, potential costs, impacted data, scope of the incident, possible litigation or regulatory implications, and reputational damage.