GENERAC HOLDINGS INC. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

GENERAC HOLDINGS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:07:25 EST.

Filings

10-K filed on 2025-02-19

GENERAC HOLDINGS INC. filed a 10-K at 2025-02-19 16:07:25 EST
Accession Number: 0001437749-25-004353

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company’s management and Board recognize the importance of strong oversight of cybersecurity risk, information security and technology in maintaining the trust and confidence of our customers, partners, employees and stockholders. Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management (ERM) program in a similar fashion to other legal, compliance, operational, and financial risk areas. The Company maintains cybersecurity measures aligned with the National Institute of Standards and Technology Cybersecurity Framework (Framework) which organizes cybersecurity risks into six categories: identify, protect, detect, respond, recover and govern, and looks to other standards as well to help identify, assess, and manage cybersecurity risks relevant to our business. Our Chief Information Officer (CIO) oversees our information systems and cybersecurity function and reports to our Chief Executive Officer (CEO). He has over 20 years of experience in leading information systems management, strategy, and operational execution, including incident prevention, management, and response. Our Company’s Chief Information Security Officer (CISO) is responsible for developing and implementing our information security program and reports to our CIO. The CISO has over 25 years of experience supporting cybersecurity and information technology. They are supported by a direct and cross-functional team of professionals with expertise and experience in threat assessment and detection, mitigation strategies, incident response, training, and regulatory compliance. In addition, we have established a Cybersecurity Steering Committee comprised of members of executive leadership. The Steering Committee, in which our CIO and CISO participate, meets regularly and has established Company-wide policies and standards concerning cybersecurity matters. These policies cover areas such as malware protection, remote access, multifactor authentication, containment of confidential information and the use of the internet, email and wireless devices. We have an established incident response plan led by our CIO and CISO and depending on the nature and severity of the incident, requires escalating notifications up to our CEO and Board. Our Board oversees our enterprise risk management activities. The Board receives periodic updates on our cybersecurity risk management program as well as regular updates and education on relevant legislation and trends related to cybersecurity. Our Audit Committee assists the Board in its oversight role and receives regular reports from management on the Company’s information systems and cybersecurity program. Several members of our Board’s Audit Committee have expertise and experience in cybersecurity, and one director is the President of a major cybersecurity services provider. The CISO and information technology security team conduct regular risk assessments to assess the overall technology infrastructure and related business processes, identify and address potential security gaps and vulnerabilities, and identify areas requiring additional focus. These risk assessments extend to our supply chain, where cybersecurity health assessments are employed for our critical suppliers. The results are used to calculate a Cybersecurity Risk Score, a key component of our Supply Chain Scorecard used to proactively identify and manage potential risks. Additionally, we require certain third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, as appropriate. Risk assessments are also performed on new products and software as part of our new product development process. As part of our risk assessments, we engage third-party services for network penetration testing and security evaluations, conduct annual incident response table-top exercises, and perform regular testing of controls related to our financial information systems by our Internal Audit function. In order to promote a culture of security awareness across our organization, all employees are required to complete an annual cybersecurity awareness training and are provided with periodic information updates on cybersecurity threats. We also maintain cyber insurance policies to help partially mitigate the financial impact of a significant cybersecurity incident. Despite our best efforts, we cannot guarantee that our security measures will prevent all potential cybersecurity incidents or breaches. Our systems are continually subject to sophisticated and evolving cyber threats, such as phishing, ransomware, social engineering, and advanced persistent threats. However, to date, we have not been subject to any incidents or successful cyber-attacks that have materially impacted our operations or financial condition. The Company has invested in developing and acquiring cybersecurity capabilities allowing us to monitor threats and manage incident response. We have also developed internal policies to mitigate cybersecurity incidents, including providing clear guidelines for incident classification, escalation, and response. We recognize the importance of continued monitoring and improvement of our cybersecurity program, and will continue to evolve our security controls, incident response capabilities, and third-party vendor management protocols. For additional information on the cybersecurity risks that we face, also see Item 1A. “Risk Factors” of this Annual Report on Form 10-K.

Company Information