APTARGROUP, INC. - (ATR)

10-K Filing Date: February 09, 2024
ITEM 1C. CYBERSECURITY
Increased global cybersecurity threats and sophisticated, targeted computer crime could pose a risk to our operations. Aptar has strategically integrated cybersecurity risk management into a broader enterprise-wide risk management framework, and consists of administrative, operational, organizational, physical, and technical processes that we believe are appropriate to the scope and nature of our business. We believe this integrated approach allows cybersecurity considerations to be an integral part of our decision-making processes. Our risk management team works closely with our Information Security Department to continuously evaluate and address cybersecurity risks in alignment with our business and operational needs.
Our cybersecurity strategy focuses on continued strengthening of our security posture, improvement of security operational efficiencies, and preparedness for evolving business and technology needs including the detection, analysis, and response to known, anticipated or unexpected cybersecurity threats, management of material risks related to cybersecurity threats and resilience against cybersecurity incidents. We regularly assess potential threats and make investments seeking to reduce the risk of these threats against our critical information and assets by implementing a broad set of security measures, including comprehensive monitoring of our networks and systems, rapid detection and response, and threat management capabilities. For example, we scan our systems for vulnerabilities and annually engage external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity systems. The results of such assessments and reviews are reported to our Information Security Department and Audit Committee of the Board of Directors (the "Audit Committee"), and then we consider adjustments to our cybersecurity processes and practices as appropriate based on the information provided by the third-party assessments and reviews.
Security and data privacy awareness and training is provided to new employees and annually for current Aptar employees, which is designed to educate employees on recognizing information security and cybersecurity concerns, how they can help protect the organization and how to inform the cybersecurity team of potential incidents. In addition, Aptar implements stringent processes to oversee and manage risks associated with our third-party providers. As set forth in our Sustainable Purchasing Charter, third-party providers are expected to, among other things, protect personal data and implement security and protection measures in relation thereto. We conduct security assessments of third-party providers before engagement and monitor their compliance with our cybersecurity standards on an ongoing basis. The monitoring includes periodic and ongoing assessments by our Information Security Department. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. In addition, we maintain cybersecurity insurance as part of our overall insurance portfolio.
Management briefs the Audit Committee on a quarterly basis regarding our information security programs. As part of its oversight responsibilities, the Audit Committee regularly discusses and reviews with management, among other items, Aptar’s compliance and cybersecurity programs. We also periodically test our systems for vulnerabilities and regularly engage third parties to conduct evaluations of our security controls whether through penetration testing, independent audit or consulting on best practices to address new challenges. An independent review of our cybersecurity program has been assessed against the National Institute of Standards and Technology (NIST) cybersecurity framework. In addition, we maintain cybersecurity insurance as part of our overall insurance portfolio.
Our Information Security Department, reports to our Vice President and Chief Information Officer and is headed by our Director of Information Security. This team is comprised of full-time information security professionals, is responsible for the implementation of our cybersecurity strategy, including assessing and managing material risks from cybersecurity threats. Our Vice President and Chief Information Officer is an experienced information technology professional with 34 years of experience in the industry, including oversight of our cybersecurity department and has a degree in Management Information Systems. The Information Security Department ultimately reports to, and regularly informs, our Chief Information Officer and Chief Financial Officer with regard to cybersecurity risks and incidents. Our Chief Financial Officer is responsible for oversight of our response to cybersecurity incidents, as appropriate. In addition, our executive management discusses cybersecurity issues quarterly.
15/ATR
2023 Form 10-K

Aptar has a detailed incident response plan that provides the process and workflow of communication for escalation of incidents to executive leadership to determine if there is a breach that would warrant further action. We also have a cyber incident materiality committee, which is a cross functional team that includes various departments across the Company including Finance, Public Relations, Accounting/Controller, Legal and the Director of Information Security. Our Information Security Department, in conjunction with the cyber incident materiality committee, review each incident under our materiality framework to assess whether further escalation and reporting is required and if the incidents could constitute a material breach. Periodically, our incident response team participates in a tabletop exercise or cybersecurity preparedness led by a third-party incident response provider.
The Audit Committee is responsible for the oversight of risks from cybersecurity threats. The Audit Committee is composed of independent directors with diverse experiences, including relating to risk management, technology, and finance. Management briefs the Audit Committee on a quarterly basis, and on an as needed basis, regarding our information security program and related risks to Aptar. As part of its oversight responsibilities, the Audit Committee regularly discusses and reviews with management, among other items, Aptar’s risk management system, including cybersecurity programs. The Audit Committee receives regular updates on any significant developments relating to cybersecurity. Furthermore, significant cybersecurity matters and related strategic risk management decisions are escalated to the Board of Directors.
Although we have not experienced any material cybersecurity events to date, cybersecurity threats could materially affect our business strategy, results of operations, or financial condition, as further discussed in the risk factor entitled “Increased global cybersecurity threats and more sophisticated, targeted computer crime could pose a risk to our operations” in Part I, Item 1A of this report.
16/ATR
2023 Form 10-K