MSA Safety Inc - (MSA)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Managing Material Risks & Integrated Overall Risk Management
We assess, identify, and manage our cybersecurity risks by employing several processes, including conducting employee training, monitoring and testing our networks and systems, responding to vulnerability and threat assessments, and maintaining and refreshing backup and protective systems. Cybersecurity risk management is also a component of our overall Enterprise Risk Management (“ERM”) program. Both the cybersecurity risk management component of the ERM program and associated risk management plans, including risk mitigation, are reviewed at regular intervals and updated as needed. Related reporting to management occurs on a routine basis, and the Board of Directors is updated through an established cadence via the Board’s Audit Committee and the full Board.
The Company has an information security policy, and it provides cybersecurity training to employees on a recurring basis. As part of our processes, employees are trained on how to identify and report potential cybersecurity threats. The Company also engages in an ongoing process of risk assessments to identify and mitigate cybersecurity threats. This includes a vulnerability management program where such risks are identified, classified, and addressed. The Company conducts cybersecurity tabletop exercises to enhance mitigating controls and incident response preparedness. The Company also has incident response plans in place to address contingencies in the event of a cybersecurity incident.
Engage Third-parties on Risk Management
As part of our cybersecurity risk management process, MSA engages a range of third parties, including consultants, advisors, and auditors, to assist with security and maturity assessments, security operations, employee training and awareness, compliance, penetration testing, network and endpoint monitoring, threat intelligence, and our vulnerability management platform. These relationships enable us to access specialized knowledge and insights with respect to our cybersecurity strategies and processes.
Oversee Third-party Risk
We are aware of risks associated with third-party service providers, and the Company employs a third-party risk management program that includes a systematic evaluation of potential risks associated with engaging third-party vendors, suppliers or partners that may have access to Company sensitive information, systems, or networks. This process is also intended to provide for the security and integrity of the Company’s data that may be stored on third-party systems. The process identifies and addresses potential security vulnerabilities, safeguarding Company information assets and reducing the overall risk of cyber threats. The Company’s assessments begin during the onboarding of third parties and may continue throughout the relationship, based upon an assessment of third-party risk. Those assessments also include Company audit rights, third-party notification obligations, and security requirements for the retention of Company data. The Company maintains a team consisting of employees, contractors and consultants to oversee this process.
Risks from Cybersecurity Threats
From time to time, we have experienced attempts by unauthorized parties to access or disrupt our information technology systems. To date, we have not experienced any known material breaches or material losses related to cyber-attacks. However, a failure of our information systems or a cybersecurity breach could materially and adversely affect our business, results of operations and financial condition. See Item 1A, “Risks related to Cybersecurity or Misappropriation of Our Critical Information.”
Governance
Board of Directors Oversight
The Audit Committee and the Board of Directors oversee and periodically review the design and effectiveness of the Company’s cybersecurity program, as well as its contingency plans. On an established cadence, the Audit Committee and the Board of Directors are briefed by the Chief Information Security Officer (“CISO”) on the status and progress of the cybersecurity program, as well as on direct or emerging threats to the Company, program maturity and strategy, and third-party risk management. Additionally, the Board of Directors receives ERM program briefings that include cybersecurity risks.
20
Management’s Role Managing Risk
Company management is directly involved in assessing and managing risks from cybersecurity threats. The Company employs a CISO with substantial program management experience, along with a team of cybersecurity and IT professionals. The CISO reports directly to the Senior Vice President and Chief Product and Technology Officer, who is a member of the Company’s Executive Leadership Team. Additionally, the CISO reports regularly on the cybersecurity program, including risks and mitigation, to the Cybersecurity Executive Steering Body. The Cybersecurity Executive Steering Body provides strategic oversight and is responsible for guiding and aligning organizational efforts to manage risks associated with cybersecurity threats. It is intended to ensure comprehensive risk management, effective policy development, and coordinated response measures to safeguard sensitive information and technology assets.
The Cybersecurity Executive Steering Body includes members of the Executive Leadership Team, among other senior managers, including cross-functional representation from Cybersecurity, Product and Technology, Law, Finance, and Operations departments. Collectively, the Cybersecurity Executive Steering Body has decades of enterprise risk management experience, including cybersecurity risk management.
Monitor Cybersecurity Incidents
The Company’s cybersecurity incident response plan provides a structured approach to prevent, detect, manage and mitigate a cybersecurity incident. Primary goals are to minimize harm to information technology systems and Company information, reduce recovery time, and ensure the continuity of operations. Internal resources manage and execute the Company’s cybersecurity incident response plan with the support of retained external advisors. Plan testing and assessments occur to provide for the ongoing effectiveness against evolving threats. Pursuant to the plan, communication channels and escalation protocols are also maintained to engage and inform internal stakeholders – such as the Cybersecurity Executive Steering Body, corporate crisis management team, and other members of the Executive Leadership Team – of how incidents are prevented, detected, mitigated, and remediated.
The Company’s measures to prevent and detect cyber security incidents include continuous monitoring of Company networks by a security operations team that includes a third-party managed security operations center. Employees throughout the Company are trained to report cybersecurity threats as they are identified. If an incident or suspected incident is reported, the cybersecurity team evaluates it for various factors, including severity and immediacy, pursuant to the Company’s cybersecurity incident response plan.
Reporting to Board of Directors
The CISO regularly informs the Cybersecurity Executive Steering Body of cybersecurity risks and incidents. Accordingly, the highest levels of management are informed of the cybersecurity position and risks, and significant cybersecurity matters are elevated to the Audit Committee of the Board of Directors.
21