ALTA EQUIPMENT GROUP INC. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

ALTA EQUIPMENT GROUP INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:29:21 EST.

Filings

10-K filed on 2025-03-05

ALTA EQUIPMENT GROUP INC. filed a 10-K at 2025-03-05 16:29:21 EST
Accession Number: 0000950170-25-033669

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Governance Governance and oversight of cybersecurity risks and strategies form a core component of our risk management framework. Recognizing the critical importance of cybersecurity in protecting our operations and preserving shareholder value, we have established a governance structure that emphasizes risk identification, management, and mitigation across our organization. Central to our governance approach is the involvement of our Audit Committee, which maintains oversight over the Company’s cybersecurity strategy . 18 Key to the Audit Committee’s role is its periodic engagement with our cybersecurity team, as further described below, which provides direct communication and alignment on cybersecurity matters between members of our board and management. During these critical meetings, several pivotal areas are reviewed to assess the adequacy and effectiveness of our cybersecurity measures: - Incident Response: Evaluation of our readiness and response strategies to potential cybersecurity incidents. - Cybersecurity Industry Updates: Review of recent industry developments (i.e., new threats/tactics, industry news) to focus on compliance and adaptation of our strategies accordingly. - Acquisition Security Integration: Discussion on the security aspects of recent or upcoming acquisitions, focusing on the integration of their cybersecurity frameworks into our broader security posture. - Employee Security Awareness and Training: Information regarding our regular testing and training of employees is presented and discussed. - Penetration Test Results: Analysis of our regular penetration testing exercises, which help identify vulnerabilities and strengthen our defenses. - Questions and Answers: An open forum for the Audit Committee to seek clarifications and provide guidance on cybersecurity matters, fostering a culture of transparency and continuous improvement. This structured approach to governance and oversight, with an emphasis on receiving feedback allows us to align across the Alta organization. By prioritizing the identification and management of cybersecurity risks, we aim to safeguard our assets and maintain the continuity of our business operations in the face of evolving cyber threats. Management Our Senior Director of IT and Director of Security and Compliance have primary responsibility for assessing and managing cybersecurity risks. An internal team of cybersecurity professionals execute our cybersecurity program while our VP of Information Services provides executive oversight. Combined, our experts bring multiple decades of cybersecurity experience and have earned cybersecurity-related certifications. Our internal team is bolstered by strategic third-party security partners leveraged to provide 24x7 monitoring and response. Third parties routinely assess our security practices providing tactical assistance or strategic guidance through audits and penetration tests. All members of the team routinely discuss emerging security threats and ways to mitigate risk. Strategy We utilize an in-depth layered approach to security. This allows us to respond and mitigate cybersecurity risks, underscoring our commitment to the confidentiality, integrity, and availability of our data and systems. The Company has processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. Our strategy includes the deployment of advanced security products and penetration testing to identify and mitigate vulnerabilities by continuous vulnerability scanning and monitoring by both internal and external teams. This approach is bolstered by backup and recovery protocols, including data resilience, email security measures and endpoint detection and response systems to thwart malicious activities. Additionally, our commitment to security is evident in our security awareness training for all employees, dark web monitoring, and 24x7 threat monitoring. Our incident response plan is designed to address security incidents effectively, supported by stringent information security policies and the implementation of a security information and event manager system for real-time analysis and reporting of security events and incidents. As part of our security commitment, we undergo penetration testing to assess whether our necessary security controls are maintained. The Company faces risks from cybersecurity threats that could potentially have an adverse effect on our business, financial condition, results of operations, cash flows and reputation. Although such risks have no t materially affected our business, to date, we have experienced various immaterial threats to our data and systems. For more information about the cybersecurity risks we face, see the risk factor entitled “Security breaches and other disruptions in the Company’s IT systems, including the Company’s ERP system, could limit the Company’s capacity to effectively monitor and control our operations, compromise ours or our employees’, customers’ and suppliers’ confidential information, or otherwise adversely affect the Company’s operating results or business reputation” in Item 1A. Risk Factors. 19

Company Information