AMERICAN SUPERCONDUCTOR CORP /DE/ - (AMSC)
10-K Filing Date: May 29, 2024
Overview
Cybersecurity risk is the business risk associated with a vulnerability to financial or reputational loss due to a cyber attack or a data breach. Our technologies, systems and networks may be subject to cybersecurity threats. Our business, like others within the energy technologies industry, is faced with growing cybersecurity threats as we increasingly rely on digital technologies across our business, some of which are managed by third-party service providers on whom we rely to help us collect, host or process information.
We recognize the significance of these threats, sometimes referred to as hacking, cybersecurity fraud, and cyberattacks, and maintains processes and procedures to protect its critical systems and sensitive information from unauthorized access. Despite our on-going efforts to improve our cybersecurity infrastructure and processed, there can be no assurance that a sophisticated cyber-attack would timely be detected or thwarted. To date, we are not aware of any material information security breaches and has not incurred significant operating expenses related to information security breaches. For more information on risks related to cybersecurity, please see the section titled “Risk Factors” included under Item 1A of this Annual Report on Form 10-K.
Risk Management and Strategy
Our cybersecurity risk management program includes operational, technical and physical controls to protect against and respond timely to cybersecurity threats. To address evolving cybersecurity risks and corresponding regulations, our policies and procedures are benchmarked to industry, regulatory and cybersecurity frameworks (e.g., National Institute of Standards and Technology).
Management has engaged third-party vendors to assist in monitoring our cybersecurity risk management programs and identifying and responding to any incidents. Additionally, third-party vendors are routinely engaged to evaluate how effectively management as a whole manages cybersecurity risk. We also utilize third-party cybersecurity vendors to assess its protections against identified vulnerabilities.
We have developed cybersecurity training for employees concerning cybersecurity risk. This training provides information on security awareness and phishing simulations. All employees are required to attend periodic cybersecurity training. On a regular basis, our IT team shares news and articles related to cybersecurity awareness with all employees.
The Director, Global Information Technology and Financial Systems (the “IT Director”), leads an internal team and works directly with our third-party vendors to manage our cybersecurity risk management program and activities. The internal team monitors our information systems for cybersecurity threats, reviews cybersecurity incidents, analyzes emerging threats, and develops and implements risk mitigation strategies. The IT Director periodically reports on the cybersecurity program to the Company’s Chief Financial Officer (“CFO”).
Our cybersecurity risk assessment is performed annually and includes external and internal penetration testing performed by third party vendors to test for vulnerabilities in the Company’s environment.
Governance
The Board of Directors has delegated the oversight of risks from cybersecurity threats to the Audit Committee, which has delegated authority to the CFO to oversee the Company’s cybersecurity risk management, including prevention, detection and responding to any suspected cybersecurity incident.
The Audit Committee is updated at least annually by the CFO on the status of cybersecurity matters. Contemporaneous reporting is provided on an as needed basis to the Audit Committee and to the full Board of Directors on significant cyber events including response, legal obligations, and outreach and notification to regulators, and third parties when needed.
On an annual basis, the IT Director reviews the results of the current state of cybersecurity risk management, including the results of our cybersecurity risk assessment and any action plan to address any identified vulnerabilities.