COMPASS MINERALS INTERNATIONAL INC 10-K Cybersecurity GRC - 2024-12-16

Page last updated on December 16, 2024

COMPASS MINERALS INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-16 17:19:23 EST.

Filings

10-K filed on 2024-12-16

COMPASS MINERALS INTERNATIONAL INC filed a 10-K at 2024-12-16 17:19:23 EST
Accession Number: 0001227654-24-000230

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Risk Assessment and Management As digitization and technological advancements continue to accelerate, the landscape of cybersecurity faces new challenges. Compass Minerals remains vigilant in our efforts to minimize risk by safeguarding systems and protecting private business, partner, and customer information. Protection of our digital assets requires strategically focused cybersecurity processes with persistent execution. We maintain a cybersecurity program employing many components and strategies to mitigate and remediate day-to-day cybersecurity threats and exposures. We approach cybersecurity threats through a cross-functional, multilayered approach, with specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to us; (ii) preserving the confidentiality, security, integrity, and availability of the information that we collect and store to use in our business; (iii) protecting our intellectual property; (iv) maintaining the confidence of our customers, clients and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required. Our layered approach to cyber security risk mitigation includes the following: - Secure architectural solution design of processes and system configuration. - Assessment and remediation of cybersecurity events with potential impact on business processes. - Proactive monitoring and mitigation of active exploits through managed services. - Evolution of the information security governance program. We take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect our operations, finances, legal or regulatory compliance, and/or reputation. We employ continuous monitoring systems and other technologies and security controls to assist us with the identification of cybersecurity risks and threats. These strategies include, among others, the application, adoption or modification of cybersecurity policies and 26 2024 FORM 10-K Table of Contents COMPASS MINERALS INTERNATIONAL, INC. procedures, implementation of administrative, technical, and/or physical controls and employee training, education, and awareness initiatives. Our cybersecurity risk management includes continuous monitoring of networks and systems for potential signs of suspicious activity. We have deployed managed detection and response services for all corporate production systems (servers, desktops, and laptops). This managed service includes 24x7x365 monitoring, threat hunting, remediation, and escalation to help maintain a secure environment. We also provide mechanisms and training for employees to report to the IT Department any unusual or potentially malicious activity they observe for proper identification and analysis. We track key performance indicators and cybersecurity metrics to evaluate the efficacy of our cybersecurity controls and practices. Further, our cybersecurity program is periodically reviewed by senior members of management and adjusted as needed to maintain the program’s agility and responsiveness as circumstances and technologies evolve, new cybersecurity threats emerge, and regulations change. Cybersecurity represents a critical component of our overall approach to risk management. Our cybersecurity policies, standards and practices are fully integrated into our enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by our Board of Directors (the “Board”). We separately operate an ERM program to identify, evaluate and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with our broader business goals and objectives. We believe that integrating cybersecurity risks into our ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard our operations, financial condition, and reputation in an ever-evolving threat landscape. Cybersecurity risks are further considered and evaluated as part of an annual risk assessment performed independently by our internal audit department. Incident Response We maintain an incident response policy and program focused upon detecting, managing, documenting, and reporting incidents affecting our systems and data, including those specific to cybersecurity. In the event of a significant cybersecurity incident, we establish an incident response team (“IRT”) that works in conjunction our internal crisis management team, subject matter experts, and business stakeholders to identify, contain, eradicate and, if necessary, recover from a cybersecurity incident. We have built into our incident response program, a review process that gives our disclosure committee real-time access to information to rapidly assess materiality. These efforts may include detecting, identifying, defending against, responding to and, if necessary, recovering from cybersecurity incidents. Incidents that meet certain thresholds are escalated to senior members of management, internal legal advisors, communication specialists and other key stakeholders for additional guidance and action. Through third parties we are also able to rapidly deploy forensic analysis, legal services, notification, and call center service(s). Our incident response and change management policies and procedures were designed based on guidelines from the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”). Use of Third Parties Cybersecurity Service Providers and Third-Party Consultants . Periodically we engage independent cybersecurity consultants, auditors and other third parties to assess and enhance our cybersecurity risk assessment and practices. These third parties conduct independent assessments, penetration testing and vulnerability assessments to identify weaknesses and recommend improvements. When cybersecurity risks are identified, we prioritize mitigation strategies based upon risks’ potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Additionally, we employ several third-party tools and technologies as part of our efforts to enhance cybersecurity functions and monitoring. Oversight of Third-Party Service Providers . We use third-party service providers to support our operations and many of our technology initiatives, including third parties that house financial or sensitive information. Our technology acquisition policy and our internal controls framework require us to obtain and review attestation reports regarding these third-party service providers and their sub-service processors or providers and their internal controls, complementary user entity controls and contractual obligations, including those specific to cybersecurity. We evaluate cybersecurity risks associated with our use of third-party service providers, which may include a review of a service provider’s cybersecurity posture or a recommendation of specific mitigation controls. We determine and prioritize service provider risk based on potential threat impact and likelihood and these risk determinations determine the level of due diligence and ongoing compliance monitoring required for each service provider. We have independent validation and assessment capabilities from our cyber insurance provider (Resilience). Each year we select several third-party suppliers for evaluation, analyze resultant reports, and mitigate risks associated with the vendor as needed. Risks from Material Cybersecurity Threats As of the date of this report, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although we have not previously experienced cybersecurity incidents that are individually, or in the aggregate, material, we have experienced cyberattacks in the past, which we believe have thus far been deflected or mitigated by our preventative, detective, and responsive measures. 27 2024 FORM 10-K Table of Contents COMPASS MINERALS INTERNATIONAL, INC. Cybersecurity Governance Board Oversight Our board level audit committee retains oversight of our cyber security program, which is led by our vice president of information technology services. Our senior leadership regularly provides updates on cybersecurity risks and cyber security initiatives to both the audit committee and the broader board. The Board is responsible for overseeing management’s assessments of major risks facing the Company and for reviewing options to mitigate these risks. The Board’s oversight of cybersecurity risks occurs at both the Board level and through its Audit Committee. The Board . The Chief Executive Officer, the Chief Financial Officer, other members of senior management and other personnel and advisors, as requested by the Board, report on our financial, operating, and commercial strategies, as well as major related risks, which may include cybersecurity risks, at regularly scheduled meetings of the Board. The Board may request follow-up data and presentations to address any specific concerns or recommendations. The Audit Committee . The Audit Committee reviews with our management team, including our vice president of information technology services, our cybersecurity frameworks, policies, technologies, programs, opportunities, strategies, and risks. These presentations highlight any significant cybersecurity incidents, the cyber threat landscape, cybersecurity program enhancements, cybersecurity risks, related remediation and mitigation activities, security user awareness and reporting training program and any other relevant cybersecurity topics. In addition, members of our Legal Department advise the Audit Committee as needed regarding cybersecurity-related legal matters, including disclosure requirements. Management believes that these reports help to provide the Audit Committee with an informed understanding of our cybersecurity program, risks, and strategies. The Audit Committee may request follow-up data and presentations to address any specific concerns or recommendations. In addition to this periodic reporting, significant cybersecurity risks or threats may also be escalated to the Audit Committee as needed based upon our cyber incident reporting process. The Audit Committee reports regularly to the entire Board and reviews with the Board any major issues that arise at the committee level, which may include cybersecurity risks. Management’s Role Our IT Department addresses current and emerging cybersecurity matters. This function is led by our vice president of information technology services, who reports to our Chief Strategy Officer. The IT Department’s security team, a cross-functional group composed of members with substantial professional and technical information technology experience, oversees the cybersecurity program to help ensure the confidentiality, integrity and availability of the company’s systems and mitigate day-to-day threats and exposures. It is responsible for measuring and managing cybersecurity risk, including the prevention, detection, mitigation, and remediation of cybersecurity incidents and for implementing cybersecurity policies, programs, procedures and strategies. The security team reports significant cybersecurity incidents to senior management, internal legal advisors, communication specialists and other key stakeholders as required.

Company Information