AdvanSix Inc. - (ASIX)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
AdvanSix is committed to protecting the data and confidential information of its business, employees, customers and suppliers. As an organization, we face the risk of cybersecurity breaches and incidents from both external threat actors and from insiders which could compromise the security of our information and networks. Any cybersecurity breach or incident could harm our business or disrupt our operations.
Cybersecurity risk is closely monitored by our executive leadership with governance and oversight by the Audit Committee of the Board, whose oversight is expressly noted in its chartered responsibilities along with broader enterprise risk management. A cybersecurity team, led by the General Counsel, the Chief Information Officer (“CIO”) and the Chief Information Security Officer (“CISO”), is responsible for the management, implementation and operation of the cybersecurity program, alongside qualified internal and external security and IT subject matter experts.
Our CIO leads the Company’s information technology organization and brings over 25 years of experience to the role. She joined AdvanSix as Senior Director, Information Technology in September 2016, and prior to that time, spent 17 years with Honeywell, where she held IT positions of increasing responsibility in the Transportation Systems business and Corporate functions. Before joining Honeywell, our CIO held several roles at Electronic Data Systems (EDS), including system design and development, configuration management and database administration. She earned a Bachelor’s Degree in Psychology and an MBA, in Supply Chain and Business Information Systems, from Michigan State University.
Our CISO leads the Company’s cybersecurity and IT infrastructure organization and brings over 19 years of experience in the areas of technology governance, risk and compliance management, information security and cybersecurity, risk assessments, secure-Software Development Life Cycle (SDLC), security architecting, cloud security design and operations, threat and vulnerability management, Security Information and Event Management (SIEM)/Security Operation Center (SOC), and incident response management. He joined AdvanSix in December 2018 as our Cybersecurity Leader, and prior to that time, he worked as VP and Information Security Officer at MUFG, managing the overall risk management program, design and implementation. Prior to that role, our CISO served as a cybersecurity and privacy manager with PricewaterhouseCoopers, as a technology manager – IT security and infrastructure with Suez Environment North America, and as an IT auditor for Pentair. Our CISO has a Master's Degree in Computer Science from New Jersey Institute of Technology and a Bachelor’s Degree in Mechanical Engineering from University of Madras. In order to stay current with best practices, our CISO regularly completes cybersecurity certification courses and attends industry conferences.
We track the effectiveness of our cybersecurity program using key performance and risk metrics through daily surveillance with dashboard updates provided by the CISO to the General Counsel and the CIO supplemented by regular updates to the senior leadership team, which includes the Chief Executive Officer and the Chief Financial Officer. In addition, the CISO provides cybersecurity updates to the Audit Committee and the full Board. Informational report-outs, with risk metrics and dashboard updates, are provided to the Audit Committee on at least a quarterly basis. At least annually, the full Board is provided an update which includes a review of governance oversight, cybersecurity controls, implemented improvements and mitigations, vulnerability risks, third-party vendors utilized, and status of key initiatives.
AdvanSix’s cybersecurity program is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and consists of technical, administrative and operational controls working together as an integrated solution. AdvanSix engaged the services of a best-in-class third party cybersecurity firm to conduct an independent comprehensive maturity assessment of our cyber security program across critical areas which align with the NIST Cybersecurity Framework. As a result of the assessment, best practice recommendations were incorporated into the cybersecurity program to improve our cybersecurity posture and program maturity. We regularly monitor the qualitative and quantitative performance of the program and other risk metrics. Key risks are identified, and appropriate mitigations are implemented through a combination of people, process, and technology solutions that are continuously evolving to address a dynamic and increasingly sophisticated threat environment. Based on this framework, we have developed and implemented a comprehensive set of cybersecurity policies and procedures to address the key cybersecurity risks faced by AdvanSix. We continue to assess evolving threats and update our policies and procedures appropriately.
Our cybersecurity program is designed to protect information technology networks and assets using the latest technologies that leverage artificial intelligence, machine learning and automation. Our security architecture uses a “defense-in-depth approach,” with controls implemented at user, email, endpoint, cloud, access, and network levels. In addition, training our employees is a critical element of our cybersecurity program. Our comprehensive security awareness and training program covers 100% of our employees on protective measures regarding information security, data privacy, cyber-attacks and recognizing phishing attempts. This program includes regular communication, interactive trainings, and simulated phishing assessments and is designed to reinforce risk awareness and address the latest and most relevant risks. We have implemented robust controls and procedures to ensure trainings are completed in a timely manner and to track our cybersecurity performance metrics.
Our environment is monitored continuously for security events by our security operations center, which detects, alerts, and responds to any potential security incidents on 24/7 basis. Escalations of potential incidents or notable risks are escalated by the cybersecurity team and the CISO to the General Counsel and the CIO. If appropriate, the status of such potential incidents or notable risks will be further escalated to the Chief Executive Officer and the Chief Financial Officer. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company.
25
AdvanSix has developed cybersecurity incident response plans and procedures, including the formation of a designated cybersecurity incident response team with representatives from across the organization. In the event of an actual cybersecurity incident, the cybersecurity incident response plan serves as the guiding framework for the Company including with respect to incident assessment, mitigations and controls, as well as response, recovery, reporting and resolution. We conduct periodic scenario planning sessions and tabletop exercises with the cybersecurity incident response team and other key functional roles in the enterprise to improve our response preparedness in the event of a security incident. AdvanSix has implemented various measures to protect its sites from both physical and cyber-attacks, which take into account applicable data security and other data privacy laws and regulations. Emerging threats and opportunities to further mitigate cybersecurity risk are continuously explored and evaluated. A vulnerability management program continually assesses our environment to identify and remediate system and software vulnerabilities. A data governance policy and data loss prevention program have been implemented to protect our intellectual property and other sensitive data. We also engage independent third parties to perform security assessments on at least an annual basis, which include penetration testing of our external and internal environment.
In summary, the Company’s approach to cybersecurity is intended to assess, identify, and manage risks from cybersecurity threats, implement mitigations and controls consistent with the NIST Cybersecurity Framework and support safe, stable and sustainable operations, while protecting our intellectual property, confidential information, privacy data, operations, and infrastructure.