Thermon Group Holdings, Inc. - (THR)
10-K Filing Date: May 29, 2024
ITEM 1C. CYBERSECURITY
Risk Management
Thermon’s cybersecurity risk management system is a comprehensive framework that helps the Company identify, assess, and mitigate known cybersecurity risks. The system is designed to protect the confidentiality, integrity, and availability of the Company's information assets.
The system includes a risk assessment process that identifies and assesses the Company's cybersecurity risks. The risk assessment process is based on the security principles set forth in the National Institutes of Standards and Technology Common Industry Format Cybersecurity Framework and includes the following steps:
•Identification of assets
•Identification of threats
•Identification of vulnerabilities
•Assessment of risk
The system is primarily implemented by the Company's cybersecurity team. This team is responsible for:
•Developing and implementing the risk assessment process
•Developing and implementing the risk mitigation strategy
•Developing and implementing the risk monitoring and reporting process
•Training the Company's employees on cybersecurity risk management
The Company's cybersecurity risk management system is reviewed and updated on an annual basis. This includes a comprehensive incident response plan. The review process is designed to ensure that the system remains effective and efficient as the cybersecurity threat landscape evolves.
The Company currently uses a third-party system for training our people on cybersecurity risks as well as strategies to mitigate those risks through interactive learning and tests. The Company tracks the compliance and performance of the relevant people who participate in the training.
Monitoring is another key component of the cybersecurity risk management system. We employ 24/7 monitoring and regular testing to mitigate threats and possible weaknesses. Additionally, we maintain insurance coverage for cybersecurity attacks.
Governance
The Company's Chief Executive Officer ("CEO"), through the appropriate reporting channels, is responsible for the cybersecurity risk management program. The Company's information technology department is responsible for developing and implementing the Company's cybersecurity policies, procedures, and strategies; overseeing the Company's cybersecurity risk assessment process; and monitoring the Company's cybersecurity risk profile.
The Company's cybersecurity risk management program is subject to periodic review and updates. The Company's Board of Directors is responsible for overseeing the Company's cybersecurity risk management program through the Audit Committee. The Board receives quarterly reports on the Company's cybersecurity risk profile and the effectiveness of the Company's cybersecurity risk management program.
21
During the past year, there have been no material risks from cybersecurity threats or prior cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition. Despite our cybersecurity risk management program and the associated controls, and those of our third-party providers, we may be vulnerable to cyber-attacks, computer viruses, security breaches, ransomware attacks, inadvertent or malicious employee actions, program failures, and other risks that could materially impact our financial condition, results of operations and cash flows.
For risks regarding cybersecurity and our information systems, please refer to Item 1A. “Risk Factors” in this annual report.