EnerSys 10-K Cybersecurity GRC - 2024-05-22

Page last updated on July 16, 2024

EnerSys reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-22 16:17:08 EDT.

Filings

10-K filed on 2024-05-22

EnerSys filed a 10-K at 2024-05-22 16:17:08 EDT
Accession Number: 0001289308-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are dedicated to safeguarding our invaluable assets and ensuring the well-being of personnel, as demonstrated through the preparation of our cybersecurity program. Cybersecurity Risk Management and Strategy Our cyber risk management program is designed to comprehensively address the spectrum of cybersecurity threats that confront our organization. Within this program, we integrate an analysis of the risks facing the organization to guide our preparedness against cybersecurity threats to ensure a holistic approach that encompasses cross-functional and geographical visibility under the oversight of executive leadership through regular risk management meetings. To aid our cybersecurity risk management strategy, we contract with dedicated third-party firms and assessors to identify risks and threats to our organization. These assessments adhere to leading cybersecurity standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework aligning with industry best practices. Additionally, our organization adheres to compliance with the Cybersecurity Maturity Model Certification (CMMC) and is undergoing International Organization for Standardization (ISO) accreditation, further demonstrating our commitment to adhering to rigorous cybersecurity standards. To oversee incident response and mitigation we utilize our incident response plan and processes to standardize our processes for assessing, identifying, and managing cybersecurity incidents. This includes a comprehensive reporting structure and analysis processes to provide visibility and determine incident business impact. Were a cybersecurity incident to occur, we have also implemented a cross-functional business team to aid in the determination of incident impact, severity, and materiality, with the support of standing external counsel and third-party incident response advisors. Additional to our third-party incident response advisors and support contracts, we undergo regular penetration tests to bolster our readiness in the event of cybersecurity incidents. Furthermore, we have also obtained cybersecurity insurance coverage to enhance protection and minimize potential financial losses arising from cyber threats. We prioritize cybersecurity within our supply chain, both nationally and globally, by assessing our third-party cybersecurity posture to provide secure visibility with our partnerships. As part of our due diligence processes, we conduct security questionnaires and service provider reviews, to align our cybersecurity standards on the onset of our partnerships. Additionally, we collaborate closely with a third-party vendor to enhance supply chain resilience. This collaboration involves leveraging their expertise to inform decision-making and enhance risk oversight processes, ensuring greater robustness, and adaptability in managing supply chain challenges. While we maintain a strong cybersecurity posture, we continuously strive for improvement and vigilance to mitigate evolving threats within this dynamic environment and protect our stakeholders’ interests. Our organization has not experienced any unauthorized access resulting from cybersecurity incidents with a materially adverse effect on our business, operations, or financial condition and we remain cognizant of the potential impact of insufficient cybersecurity measures on our operations. For further insights into additional organizational risks, please refer to the General Risk Factors section of Item 1(A) Risk Factors. Cybersecurity Governance The Board delegated primary oversight authority to the Audit Committee who plays a pivotal role in ensuring the effectiveness of our cybersecurity strategy. Through regular updates provided by our leadership team, the committee actively evaluates the organization’s cybersecurity posture and aids in prioritizing risk mitigation efforts aligned with our strategic objectives. These updates encompass detailed quarterly reports during audit committee meetings, covering key metrics, ongoing initiatives, and any cybersecurity incidents. Additionally, on an annual basis, the entire board receives updates on the progress of our cybersecurity program and strategy, including insights into emerging risks and industry trends. Moreover, the board benefits from supplementary educational briefings delivered by both internal and external experts, providing invaluable global threat visibility and enhancing the Board’s understanding of cybersecurity challenges and opportunities. Overseeing our cybersecurity initiatives is our CIO and Director of Global Cybersecurity, who provide invaluable expertise in managing cybersecurity risks and leading our cybersecurity operations. Both the CIO and Director of Global Cybersecurity possess extensive expertise in information technology and program management, with a wealth of experience, including over 19 combined years of dedicated service within our corporate information security organization. Furthermore, the executive leadership team is active in security operations, overseeing implementation of policies, procedures, and policies related to cybersecurity, technology, and vendors. Both the Audit Committee of the Board as well as executive leadership team will be notified and updated in the event of an incident, with incident updates, mitigation efforts, and impact, as deemed appropriate.

Company Information