Atkore Inc. 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 21, 2024

Atkore Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 18:37:45 EST.

Filings

10-K filed on 2024-11-20

Atkore Inc. filed a 10-K at 2024-11-20 18:37:45 EST
Accession Number: 0001666138-24-000164

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Strategy and Risk Management Atkore’s commitment to cybersecurity emphasizes maintaining secure technology and data environments and the cultivation of a security-minded culture and capability. We do this through education and training, and a layered approach to identifying, preventing, detecting, responding and restoration from cybersecurity threats and incidents. Key elements of our program for assessing, identifying, and managing material risks from cybersecurity threats are anchored in widely used and industry recognized security frameworks and are described below. We maintain cybersecurity policies that articulate Atkore’s expectations and requirements with respect to topics such as acceptable use of technology and data, data privacy, risk management, education and awareness and event and incident management. We regularly conduct exercises, with the support of outside domain experts, to improve the effectiveness of our processes and we periodically assess our processes against recognized cybersecurity frameworks. Consistent with our position that cybersecurity is the responsibility of every Atkore employee, we regularly educate and share best practices with our employees to raise awareness of cybersecurity threats. Atkore employees participate in monthly training and testing. In addition to training, Atkore conducts table-top exercises as often as twice a year to simulate cybersecurity risk and response scenarios. Our cybersecurity team implements measures to ensure that Atkore can quickly identify and mitigate cybersecurity risks. Our controls are designed to restrict access to locations that house significant physical information technology assets. Other controls include the use of multifactor authentication, various third-party tools, network security technologies, and a crisis playbook. Our notification policies and processes are escalated to the appropriate personnel on a timely basis to support effective review, response, and compliance with legal requirements. Data is also aggregated to support the identification of trends for forward looking oversight. Key elements of Atkore’s annual Enterprise Risk Management (“ERM”) program include an inventory and classification of key risk areas and topics; a methodology for scoring risks based on the risk’s probability, severity, and velocity of impact, and for trending key risks; and a framework for developing and implementing countermeasures for key risks. Cybersecurity is one of six topical areas required to be addressed as part of the annual ERM program. Cybersecurity risks are scored using the same methodology applied to all other risks. This helps evaluate the significance and prioritization of cyber-related risks relative to wider business risks. Members of Internal Audit present annually to the Atkore Board of Directors a report on the results of the ERM process. This includes cybersecurity risks. We periodically engage external consultants to assess our cybersecurity program. Based on the information we have as of the date of this Annual Report, we do not believe any risks from cybersecurity threats, have materially affected or are likely to materially affect Atkore, including our business strategy, results of operations or financial condition. Cybersecurity Governance and Oversight At the management level, Atkore’s cybersecurity program is led by the Company’s Vice President - Chief Information Officer (“CIO”), who reports to Atkore’s Vice President - Business Development and Strategy, who in turn reports to Atkore’s Chief Executive Officer. Atkore’s CIO has over 30 years of experience in information technology roles with responsibilities including global cyber security strategy, global IT strategy, technology platforms and internal controls. The CIO has a Master of Business Administration from Kellogg School of Management at Northwestern University and a Bachelor of Science in Computer Information Systems from DeVry Institute of Technology. Reporting to the CIO is a Director of Cybersecurity. The current Director of Cybersecurity has over 20 years of experience in information technology roles with responsibilities including cyber security and security architecture 32 and engineering. The CIO is supported by the Cybersecurity Steering Committee (“CSC”), a management committee comprising members of the Executive Leadership Team and includes the leaders of the information technology, legal, finance, human resources, commercial and communications functions and that report to the Chief Executive Officer. The CSC supports the CIO in overseeing and managing information security risks and in the event of a cybersecurity incident provides oversight and leadership with respect to incident investigation, mitigation, and remediation. At the Board level, Atkore’s cybersecurity is overseen by a subset of the full Board of Directors, specifically the independent board members. This oversight includes a quarterly review of Atkore’s cybersecurity program, including key program metrics, initiatives, and developments. In addition, in the event of a significant cybersecurity incident, Atkore’s policy and process requires timely engagement of and consultation with the Board of Directors. Additional information about cybersecurity risks we face is discussed in “Item 1a. Risk Factors,” which should be read in conjunction with the information above.

Company Information