APPLIED INDUSTRIAL TECHNOLOGIES INC - (AIT)

10-K Filing Date: August 16, 2024
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy
Our cybersecurity program is informed by various industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and our security management is ISO/IEC 27001:2022 certified. Our management, with oversight from our Board, performs an annual enterprise-wide risk assessment (ERA) to identify key existing and emerging risks. One of the main risks identified and assessed annually through this process is cybersecurity and data privacy, which remains a key focus for the Company, management, and our Board.
We maintain multiple layers of security designed to detect and block cybersecurity events, as well as employ a dedicated team of cybersecurity personnel and professionals, who assist our Vice President – Information Technology in helping to assess, identify, monitor, detect and manage cybersecurity risks, threats, vulnerabilities and incidents. Further, we have various processes and programs designed to manage cybersecurity risks associated with our use of third-party vendors and suppliers.
When we implement significant changes to our information systems, we conduct risk-based security and privacy impact assessments and deploy technical safeguards that are designed to reasonably protect our technology and information systems from cybersecurity threats. We actively monitor and proactively research potential cybersecurity threats to our information systems, and we use what we learned to evolve our security controls over time to mitigate risks posed by such threats.
We also engage third party service providers when deemed necessary to both expand our capabilities and capacity as well as evaluate the effectiveness of our cybersecurity program, including hosting regular table-top exercises meant to evaluate and improve the overall effectiveness of our cybersecurity program.
Our Incident Response Plan provides a framework for responding to cybersecurity incidents. The plan governs activities such as preparation, detection, coordination, eradication, and recovery, as well as appropriate escalations to the Company’s senior management and Board and disclosure under applicable rules and regulations. The Incident Response Plan is routinely reviewed and updated as appropriate by our Vice President – Information Technology and other senior management members.
We provide recurring mandatory information security training (which includes cybersecurity training) to our associates based on access, risk, roles, and behaviors.
Overall, we implement, develop, and maintain systems and operate programs that seek to mitigate the impact of cybersecurity incidents. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems or data on such systems, change frequently, we must continually monitor and update these systems and programs. See “Risk Factors” in Item 1A of Part I above for additional information on risks related to our business, including risks related to cybersecurity incidents and privacy and data protection.
Governance
Our Vice President – Information Technology leads management’s assessment and management of cybersecurity risk. He reports directly to our President & Chief Executive Officer and is a member of our senior management team, providing cybersecurity updates to that group monthly, with more frequent updates as needed. Our Vice President – Information Technology has more than 35 years of experience within industrial distribution, spending the majority of which managing and maintaining information systems. In addition, our Vice President – Information Technology leads a team of individuals that focus on monitoring our information systems and data for intentional and unintentional actions that could cause harm to our information systems or the data on such systems.
As indicated above, our management, with oversight from the Board, performs an annual ERA and cybersecurity is among the main risks identified by the ERA for Board-level oversight. Our full Board has oversight of our efforts in cybersecurity and meets regularly with our Vice President – Information Technology (three times during fiscal 2024) on our cybersecurity risks and programs. The Board is also updated as needed on cybersecurity threats, incidents, or new developments in our cybersecurity risk profile.


13