Andersons, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on July 16, 2024

Andersons, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:37:37 EST.

Filings

10-K filed on 2024-02-21

Andersons, Inc. filed a 10-K at 2024-02-21 16:37:37 EST
Accession Number: 0000821026-24-000071

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . A change in tax laws or regulations of any federal, state or international jurisdiction in which we operate could increase our tax burden and otherwise adversely affect our financial position, results of operations, cash flows and liquidity. We continue to assess the impact of various U.S. federal, state, local and international legislative proposals that could result in a material increase to our U.S. federal, state, local and/or international taxes. We cannot predict what impact, if any, changes in federal policy, including tax policies, will have on our industry or whether any specific legislation will be enacted or the terms of any such legislation. However, if such proposals were to be enacted, or if modifications were to be made to certain existing regulations, the consequences could have a material adverse impact on us, including increasing our tax burden, increasing our cost of tax compliance or otherwise adversely affecting our financial position, results of operations, cash flows and liquidity. Changes in applicable U.S. or foreign tax laws and regulations, or their interpretation and application, including the possibility of retroactive effect, could affect our tax expense and profitability. Such impact may also be affected positively or negatively by subsequent potential judicial interpretation or related regulation or legislation which cannot be predicted with certainty. The Andersons, Inc. | 2023 Form 10-K | We are subject to various legal and regulatory proceedings, including litigation in the ordinary course of business, and uninsured judgments or a rise in insurance premiums may adversely impact our business, financial condition and results of operations. In the ordinary course of business, we are subject to various legal and regulatory proceedings, which may include but are not limited to those involving antitrust, tax, environmental, intellectual property, data privacy and other matters, including general commercial litigation. Any claims raised in legal and regulatory proceedings, whether with or without merit, could be time consuming and expensive to defend and could divert management’s attention and resources. Additionally, the outcome of legal and regulatory proceedings may differ from our expectations because the outcomes of these proceedings are often difficult to reliably predict. Various factors and developments can lead to changes in our estimates of liabilities and related insurance receivables, where applicable, or may require us to make additional estimates, including new or modified estimates that may be appropriate due to a judicial ruling or judgment, a settlement, regulatory developments or changes in applicable law. A future adverse ruling, settlement or unfavorable development could result in charges that could have a material adverse effect on our results of operations in any particular period. In accordance with customary practice, we maintain insurance against some, but not all, of these potential claims. In the future, we may not be able to maintain insurance at commercially acceptable premium levels. In addition, the levels of insurance we maintain may not be adequate to fully cover any and all losses or liabilities. If any significant judgment or claim is not fully insured or indemnified against, it could have a material adverse impact on our business, financial condition and results of operations. Item 1B. Unresolved Staff Comments The Company has no unresolved staff comments. Item 1C. Cybersecurity The Company is committed to ensuring the safe operation of its business by means of a dedicated cybersecurity program designed to protect the confidentiality, integrity, and availability of its assets from cybersecurity threats. The Company’s customers, suppliers, and joint venture partners also face cybersecurity threats, and a cybersecurity incident impacting the Company or any of these entities could materially impact our operations, performance, and results of operations. New and evolving cybersecurity threats and related risks make it imperative that the Company allocates the appropriate resources to mitigate these risks, adapts to the changing cybersecurity landscape, and responds to emerging threats in a timely and effective manner. The underlying controls of the Company’s cybersecurity program are designed to be aligned with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) standards for cybersecurity and information technology. The controls in the Company’s cybersecurity program include but are not limited to, endpoint threat detection and response, privileged access management, logging and monitoring, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability, and patch management. Management regularly assesses the Company’s cybersecurity capabilities and has implemented policies, processes, and technology that it considers appropriate to reduce the likelihood or impact of a breach. Third parties also play a role in the Company’s cybersecurity. The Company engages third-party contractors to assess cybersecurity controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These assessments include testing both the design and operational effectiveness of these cybersecurity controls. The Company engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in the Company’s information technology environment. Management also shares and receives threat intelligence with our peers, local public companies, and cybersecurity associations. The Company’s Senior Manager of Information Security, reporting to the Vice President of Information Technology, is the leader of the Company’s cybersecurity team. The Senior Manager of Information Security is responsible for assessing and managing the Company’s cybersecurity program, informs the Vice President of Information Technology and other senior management as appropriate regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. Our Senior Manager of Information Security and Vice President of Information Technology have decades of collective experience in managing information technology and cybersecurity functions, both at the Company and in prior positions. Management also periodically evaluates the experience of the Company’s entire cybersecurity team to ensure adequate coverage across all eight key knowledge domains identified by the Certified Information Systems Security Professional certification. The Andersons, Inc. | 2023 Form 10-K | Employees outside of the cybersecurity team also have a role in our cybersecurity defenses and they are engaged in a culture supportive of security protocols, which management believes improves the Company’s cybersecurity. All employees are required to complete cybersecurity trainings annually and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. The internal business owners of hosted applications are required to document user access reviews at least annually and receive a System and Organization Controls (“SOC”) 1 or SOC 2 report from the vendor. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, management will take additional steps to assess the vendor’s cybersecurity preparedness. The Audit Committee of the Board of Directors oversees the Company’s cybersecurity program and the steps taken by management to monitor and mitigate cybersecurity risks. The Company’s Vice President of Information Technology regularly addresses the Audit Committee, typically on a quarterly basis, regarding our cybersecurity and data privacy progress to the NIST CSF standards along with briefing the Committee on any cybersecurity incidents that were determined to have a moderate or higher impact on the business, even if immaterial to the Company as a whole. In the event of an incident, management intends to follow the Company’s incident response plan, which outlines the steps to be followed from the detection of an incident to mitigation, recovery, and notification, including notifying functional areas, as well as senior leadership and the Audit Committee, as appropriate. Determination of when to notify senior leadership and the Audit Committee is made by the Vice President of Information Technology in consultation with other members of senior leadership as needed. Depending on the nature and severity of the incident, disclosure can be handled either through scheduled quarterly reporting to the Audit Committee or as an immediate disclosure to the Chair of the Audit Committee. Assessing, identifying, and managing cybersecurity related risks are integrated into the Company-wide ERM process. On an annual basis, management assesses the top risks facing the enterprise through the Company’s ERM process. Cybersecurity related risks are included in this annual function and to the extent the ERM process assigns a heightened risk to cybersecurity, risk owners are named to address the severity, likelihood, and controls in place to mitigate these risks. Upon the conclusion of the ERM process, management’s assessment is then presented to the Board of Directors. Notwithstanding the attention the Company pays to cybersecurity risks and the processes and controls implemented, the Company may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on its business, strategy, financial condition, results of operations, cash flows, and reputation. Cybersecurity risks rapidly evolve and are complex, so the Company must continually adapt and enhance processes and controls. As the Company does this, management must make judgments about where to invest resources to protect the Company and our assets most effectively. These are inherently challenging processes, and management can provide no assurance that the processes and controls implemented will be effective. The Company has experienced, and expects to continue to experience, cyber incidents in the normal course of business. Cybersecurity threats, including as a result of previous incidents, to date, have not had, and as of the date hereof we do not believe are reasonably likely to have, a material adverse effect on the Company’s business, strategy, financial condition, results of operations, or cash flows. However, for the reasons described above, management cannot guarantee that the Company will not be materially affected in the future. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for further discussion of cybersecurity risks. The Andersons, Inc. | 2023 Form 10-K |
Item 1C. Cybersecurity The Company is committed to ensuring the safe operation of its business by means of a dedicated cybersecurity program designed to protect the confidentiality, integrity, and availability of its assets from cybersecurity threats. The Company’s customers, suppliers, and joint venture partners also face cybersecurity threats, and a cybersecurity incident impacting the Company or any of these entities could materially impact our operations, performance, and results of operations. New and evolving cybersecurity threats and related risks make it imperative that the Company allocates the appropriate resources to mitigate these risks, adapts to the changing cybersecurity landscape, and responds to emerging threats in a timely and effective manner. The underlying controls of the Company’s cybersecurity program are designed to be aligned with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) standards for cybersecurity and information technology. The controls in the Company’s cybersecurity program include but are not limited to, endpoint threat detection and response, privileged access management, logging and monitoring, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability, and patch management. Management regularly assesses the Company’s cybersecurity capabilities and has implemented policies, processes, and technology that it considers appropriate to reduce the likelihood or impact of a breach. Third parties also play a role in the Company’s cybersecurity. The Company engages third-party contractors to assess cybersecurity controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These assessments include testing both the design and operational effectiveness of these cybersecurity controls. The Company engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in the Company’s information technology environment. Management also shares and receives threat intelligence with our peers, local public companies, and cybersecurity associations. The Company’s Senior Manager of Information Security, reporting to the Vice President of Information Technology, is the leader of the Company’s cybersecurity team. The Senior Manager of Information Security is responsible for assessing and managing the Company’s cybersecurity program, informs the Vice President of Information Technology and other senior management as appropriate regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. Our Senior Manager of Information Security and Vice President of Information Technology have decades of collective experience in managing information technology and cybersecurity functions, both at the Company and in prior positions. Management also periodically evaluates the experience of the Company’s entire cybersecurity team to ensure adequate coverage across all eight key knowledge domains identified by the Certified Information Systems Security Professional certification. The Andersons, Inc. | 2023 Form 10-K | Employees outside of the cybersecurity team also have a role in our cybersecurity defenses and they are engaged in a culture supportive of security protocols, which management believes improves the Company’s cybersecurity. All employees are required to complete cybersecurity trainings annually and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. The internal business owners of hosted applications are required to document user access reviews at least annually and receive a System and Organization Controls (“SOC”) 1 or SOC 2 report from the vendor. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, management will take additional steps to assess the vendor’s cybersecurity preparedness. The Audit Committee of the Board of Directors oversees the Company’s cybersecurity program and the steps taken by management to monitor and mitigate cybersecurity risks. The Company’s Vice President of Information Technology regularly addresses the Audit Committee, typically on a quarterly basis, regarding our cybersecurity and data privacy progress to the NIST CSF standards along with briefing the Committee on any cybersecurity incidents that were determined to have a moderate or higher impact on the business, even if immaterial to the Company as a whole. In the event of an incident, management intends to follow the Company’s incident response plan, which outlines the steps to be followed from the detection of an incident to mitigation, recovery, and notification, including notifying functional areas, as well as senior leadership and the Audit Committee, as appropriate. Determination of when to notify senior leadership and the Audit Committee is made by the Vice President of Information Technology in consultation with other members of senior leadership as needed. Depending on the nature and severity of the incident, disclosure can be handled either through scheduled quarterly reporting to the Audit Committee or as an immediate disclosure to the Chair of the Audit Committee. Assessing, identifying, and managing cybersecurity related risks are integrated into the Company-wide ERM process. On an annual basis, management assesses the top risks facing the enterprise through the Company’s ERM process. Cybersecurity related risks are included in this annual function and to the extent the ERM process assigns a heightened risk to cybersecurity, risk owners are named to address the severity, likelihood, and controls in place to mitigate these risks. Upon the conclusion of the ERM process, management’s assessment is then presented to the Board of Directors. Notwithstanding the attention the Company pays to cybersecurity risks and the processes and controls implemented, the Company may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on its business, strategy, financial condition, results of operations, cash flows, and reputation. Cybersecurity risks rapidly evolve and are complex, so the Company must continually adapt and enhance processes and controls. As the Company does this, management must make judgments about where to invest resources to protect the Company and our assets most effectively. These are inherently challenging processes, and management can provide no assurance that the processes and controls implemented will be effective. The Company has experienced, and expects to continue to experience, cyber incidents in the normal course of business. Cybersecurity threats, including as a result of previous incidents, to date, have not had, and as of the date hereof we do not believe are reasonably likely to have, a material adverse effect on the Company’s business, strategy, financial condition, results of operations, or cash flows. However, for the reasons described above, management cannot guarantee that the Company will not be materially affected in the future. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for further discussion of cybersecurity risks. The Andersons, Inc. | 2023 Form 10-K |


Company Information

NameAndersons, Inc.
CIK0000821026
SIC DescriptionWholesale-Farm Product Raw Materials
TickerANDE - Nasdaq
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30