Atmus Filtration Technologies Inc. 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

Atmus Filtration Technologies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 15:26:18 EST.

Filings

10-K filed on 2025-02-21

Atmus Filtration Technologies Inc. filed a 10-K at 2025-02-21 15:26:18 EST
Accession Number: 0001921963-25-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our management and board of directors (the “Board”) recognize the importance of maintaining the capacity, reliability and security of our information technology environment and data security infrastructure to deliver on the expectations, and maintain the trust and confidence, of our customers, clients, business partners, employees and investors. The Board is actively involved in our risk management practices, including oversight of our overall enterprise risk management (“ERM”) framework, in which cybersecurity risk management is reviewed by the Board on at least an annual basis. Our cybersecurity and privacy programs align with the recognized frameworks established by the National Institute of Standards and Technology and leverage the International Organization for Standardization and other applicable industry standards. The focus of our cybersecurity program is preserving the confidentiality, security and availability of our systems and data, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Management and Strategy We have established and implemented processes to assess, identify and manage material cybersecurity risks. Cybersecurity risks are assessed, identified, and managed by our Executive Director of Cybersecurity and Infrastructure, with direct supervision by our Vice President and Chief Information Officer (“CIO”) and with the assistance of our internal audit and legal teams. Our Executive Director of Cybersecurity and Infrastructure shares information regarding such risks with our management’s senior level information security council (the “Information Security Council”), which consists of our CIO, Senior Vice President and Chief Financial Officer, Vice President and Chief Technical Officer, Senior Vice President and Chief Legal Officer & Corporate Secretary (currently vacant), Vice President of Strategy and Director of Internal Audit & Enterprise Risk Management, and which supports the Audit Committee’s oversight of cybersecurity risk, including by providing regular reports on various cybersecurity matters. We have in place robust physical, technical, administrative, and organizational controls for the securing of our information systems. We maintain a comprehensive, risk-based, third-party risk management process to identify , assess and manage cybersecurity risks associated with third-party service providers. Third-party service providers undergo thorough pre-engagement due diligence, including security and privacy assessments. All contracts with such third-party service providers are required to contain security and data processing terms no less stringent than those employed by us in safeguarding our own data. Any third-party service providers with access to confidential or sensitive data are subject to ongoing oversight activities, including assessments and audits, throughout the lifetime of the engagement. Additionally, we maintain an incident response plan (the “Incident Response Plan”), which establishes a comprehensive, effective, and repeatable process for identifying, escalating and responding to cybersecurity incidents. We test and evaluate the Incident Response Plan, including contingency and recovery plans, on a regular basis, and we develop, implement and review contingency and recovery plans for information systems, both internal and vendor managed. The results of such assessments drive changes and enhancements to governance, policies, procedures, technologies, and partner decisions to continuously monitor and improve our cybersecurity risk management. The Information Security Council practices the procedures of the Incident Response Plan through tabletop exercises facilitated by external consultants. We also leverage third-party support, including vendors, consultants, and assessors, to analyze risk exposure, to identify remediation opportunities and to reduce our overall cybersecurity risk. Previous cybersecurity incidents have not materially affected us, including our business strategy, financial condition, results of operations or cash flows. However, risks from cybersecurity threats, including but not limited to security breaches, computer malware, ransom attacks, other cyber-attacks, or other similar threats may materially affect us, including our business, financial condition, results of operations or cash flows. Governance The Board oversees the Company’s overall ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee is responsible for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposures, and regularly provides reports to the Board on cybersecurity risk management. The Audit Committee Charter explicitly sets forth the Audit Committee’s responsibility for such oversight. The Audit Committee receives regular presentations and reports from our Executive Director of Cybersecurity and Infrastructure and our CIO on cybersecurity risks and prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds. Our Executive Director of Cybersecurity and Infrastructure and our CIO also report to the Board at least annually and to Audit Committee at least quarterly on current internal and external developments in cybersecurity, as part of the Board’s enterprise risk management review, and the Board receives reports of Audit Committee discussions regarding its oversight of cybersecurity risk. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to the Audit Committee or the Board in a timely manner. Our Global Cybersecurity Operations function is a global team led by our Executive Director of Cybersecurity and Infrastructure, who reports to our CIO. In turn, our CIO reports to our Chief Executive Officer. The Information Security Council provides additional oversight for assessing and managing cybersecurity risk . Our Executive Director of Cybersecurity and Infrastructure has over 15 years of cybersecurity and information technology experience, including as Director of Cybersecurity for various institutions. Our Executive Director of Cybersecurity and Infrastructure has a Bachelor of Science in Information Science and Technology and a master’s degree in information sciences, cybersecurity, and information assurance, and he has a Certified Information Systems Security Professional certification, a GIAC Information Security Professional certification and a CompTIA Network+ ce certification. Our CIO has over 25 years of information technology experience, including serving in the information technology function at Cummins Inc., where she served as the information technology leader for Cummins Filtration Inc. Our CIO holds an undergraduate degree in business administration with emphasis in management information systems. Each of the other members of the Information Security Council have relevant educational and industry experience, including managing risks at our Company and at similar companies.

Company Information