POWELL INDUSTRIES INC 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

POWELL INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 15:30:10 EST.

Filings

10-K filed on 2024-11-20

POWELL INDUSTRIES INC filed a 10-K at 2024-11-20 15:30:10 EST
Accession Number: 0000080420-24-000086

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Cybersecurity represents an important component of our overall approach to enterprise risk management. Our cybersecurity policies and processes are fully integrated into our Enterprise Risk Management program and are based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), a toolkit for organizations to manage cybersecurity risk in its assessment of cybersecurity capabilities and in developing cybersecurity priorities. In addition to internal assessments, our cybersecurity strategy and capabilities are evaluated and audited against the NIST Framework and industry best practices by independent, third-party, leading specialists in cybersecurity. We strive to create a culture of cybersecurity resilience and awareness. This tone is set from the top and continuously reinforced with our employees through education and regular testing. We continue to improve our programs and invest in the security of our systems, operations, people, infrastructure, and cloud environments. Our cybersecurity strategy seeks to follow industry best practices designed to ensure compliance with applicable global privacy and regulatory requirements. To protect our customers, we administer physical, technological and administrative controls on data privacy and security. We regularly validate our security controls by performing penetration testing, compliance audits, as well as proactive security testing to ensure our systems and controls are secure. The Board of Directors is briefed on our strategy and roadmap in alignment with the NIST Cybersecurity Framework. The Board receives annual updates on program maturity, cybersecurity risks, threat landscape and overall program progress. Our cybersecurity risk management program is focused on the following key areas: Education and Awareness We provide required security awareness education and training to our employees and contractors with system access that focuses on various aspects of the cybersecurity world. Users of Powell’s internal systems are required to complete an annual cybersecurity awareness training and are tested for awareness on a regular basis. We also provide tailored training courses to functional technology employees and employees who process personal or sensitive information. Threat Management, Incident Response, and Recovery Planning We have established and maintain a comprehensive incident response and recovery plan designed to identify, contain and eradicate cybersecurity threats, with recovery from an incident as rapidly as possible. Our information security team utilizes threat technologies and vendors to monitor and respond to security threats via a 24/7/365 Security Operations Center. In the event of a security incident, a defined procedure outlines containment, response and immediate recovery actions. The incident response plan is tested, evaluated and updated no less than on an annual basis. Data and Consumer Privacy Our data and consumer privacy program monitors, adapts to and works diligently to comply with changes in global privacy legislation. We have implemented technical, procedural and organizational measures designed to comply with applicable data protection and consumer privacy laws. We conduct external benchmarking, as well as privacy compliance audits, to stay abreast of developing privacy laws and understand developing risks, best practices and industry trends. Third-Party Risk Management We recognize the risks associated with the use of vendors, service providers, and other third parties that provide information system services to us, process information on our behalf, or have access to our information systems. The Company has processes in place to oversee and manage these risks. We have an information risk management program that includes a vendor risk assessment process, whereby we systematically oversee and identify risks from cybersecurity threats related to our use of key third-party service providers. 20 Cybersecurity Governance Our executive management team and Board of Directors oversee our policies with respect to risk assessment and the management of those risks that may be material to us, including cybersecurity risks. Our Board of Directors has delegated responsibility to the Audit Committee for the oversight of cybersecurity risks. While cybersecurity resilience is the responsibility of every employee and contractor, the cybersecurity program is led by the Chief Information Security Officer who reports to the Chief Information Officer. Our Chief Information Security Officer has extensive experience in network engineering and cybersecurity operations from both a practical and management standpoint. He leads global teams in cybersecurity and infrastructure operations and regularly attends training in cybersecurity and risk mitigation. The Information Technology (IT) Cybersecurity Risk Management Committee, comprising senior IT leaders, meets quarterly and reviews trending risks and remediation efforts, and reports to the Audit Committee. When necessary, we assign resources to mitigate and evaluate risks to the enterprise level as part of our Enterprise Risk Management program. The Audit Committee receives a comprehensive annual report of cybersecurity risks, threat landscape, and overall program status. On an annual basis, the Chief Information Security Officer reports to the Audit Committee on various metrics on threat management, incident response and recovery planning, along with industry benchmarks. The Audit Committee reports on these matters to our Board of Directors as needed. In addition, the Chief Information Security Officer periodically presents directly to our Board of Directors on our cybersecurity program. We believe that the risks from cybersecurity threats thus far, including any previous cybersecurity incidents, have no material impact on our business including our business strategy, financial condition or results of operations. For additional information about the cybersecurity risks, see Item 1A. Risk Factors .

Company Information