POWER SOLUTIONS INTERNATIONAL, INC. 10-K Cybersecurity GRC - 2025-03-24

Page last updated on March 24, 2025

POWER SOLUTIONS INTERNATIONAL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-24 16:42:35 EDT.

Filings

10-K filed on 2025-03-24

POWER SOLUTIONS INTERNATIONAL, INC. filed a 10-K at 2025-03-24 16:42:35 EDT
Accession Number: 0001137091-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company continuously enhances policies and procedures, and controls to mitigate against the substantial rise in the prevalence of cybersecurity risks and challenges to protect its data. Risk Management Strategy The Company’s cybersecurity risk management function is led by the Vice President of Information Technology, who evaluates processes and activities within the Company’s information technology infrastructure and automated systems. In 2023, the Company completed a detailed assessment to identify all technology and cyber tools currently in place and assessed its information technology personnel’s cybersecurity capabilities and skill sets. In 2023, the Company focused on formalizing cybersecurity procedures and defining standards for risk identification and communication activities. The Company utilizes the National Institute of Standards and Technology guidance in all cybersecurity policies and procedures. Annual training for 22 employees is required as well as ad hoc trainings for specific topics or events as deemed appropriate throughout the year. The Company also has cyber insurance to assist the Company both financially and operationally if a cyber event were to occur. Below is the basic framework used in the Company’s risk management strategy: - Identify - set of procedures to identify assets to be protected, including computatio n, data, and integrity; - Protect - set of procedures to effectively engage and monitor adequate safeguards of critical infrastructure services; - Detect - set of activities, tools, and procedures to timely identify anomalies through continuous monitoring; - Respond - set of activities to effectively respond to and contain detected and confirmed cybersecurity events, and - Recover - set of activities and procedures to ensure any assets impaired because of a cybersecurity event are restored to use within the stated recovery point/time objectives. The Company has taken steps to gain insights into how cybersecurity risk management functions have been integrated into its overall risk management systems and process. Below are the risk management activities regularly performed: - Cybersecurity, as described above; - Financial control risk assessment which is a formal part of the annual internal control program; - Management’s risk assessment associated with the budgeting and strategic planning process; - Annual update of risk factors in the Company’s Form 10-K by key executives, and - A broader fraud risk assessment (also performed as part of the internal control program ). The Company’s information technology and risk management function is highly centralized, with the Corporate Controller and Vice President of Information Technology involved in most of the risk related activities which provides a consistent input throughout risk management activities as well as aiding in identifying dependencies and duplications. The Company engaged a third party to conduct phishing and penetration tests in 2024. The Company continues to evolve its processes, procedures, and tools as a result of the observations from these tests. The Vice President of Information Technology oversees the population of third-party service providers connected to any of the Company’s networks. For each third-party service provider that would directly impact the Company’s financial reporting, the Company obtains a System and Organization Controls (SOC) 1, Type 2 Report (“SOC 1 Report”) to evaluate that service provider’s internal controls and help the Company assess the risk of obtaining services from that services provider. The SOC-1 Report is reviewed by members of the Company’s management and the Internal Audit group. The Company also limits access to information granted to any third-party service provider to only the information necessary for them to perform their services to the Company. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition . However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents. We face ongoing risks from certain cybersecurity threats, and we cannot provide assurance that, if those risks materialize, our business strategy, results of operations or financial condition will not be materially affected in the future. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K. Governance and Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Audit Committee of the Board (the “Audit Committee”) has been designated as the board committee with oversight responsibility of cybersecurity as delegated in the Audit Committee charter. The following summarizes the role and frequency in which the Audit Committee oversees and monitors cybersecurity risks: - At least annually the Vice President of Information Technology presents compliance activities related to cybersecurity to the Audit Committee which includes those activities related to compliance with the cybersecurity disclosure regulations; - Material breaches, if any are, disclosed to the Audit Committee either in regularly scheduled meetings or, if urgent in calls with the Chair of the Audit Committee; - Periodically, the Vice President of Information Technology provides updates to the Audit Committee on internal controls surrounding information technology (including cybersecurity); - The Chair of the Audit Committee provides regular updates during Audit Committee meetings which includes cybersecurity; and 23 - The Vice President of Information Technology presents updates on the cybersecurity program to the Company’s Board annually. The Vice President of Information Technology is responsible for managing overall cybersecurity and cyber risks, including infrastructure, development, and cybersecurity. The Vice President of Information Technology has extensive and progressive experience in supporting information technology risks and objectives in manufacturing companies equivalent to the Company and is a Certified Information Systems Security Professional from ISC2, a leading association for cybersecurity professionals. The Company’s Vice President of Information Technology is required to have the following qualifications: - Asset Security; - Security Architecture and Engineering; - Communication and Network Security; - Identity and Access Management; - Security Assessment and Testing; - Security Operations; and - Software Development Security. The Company’s Vice President of Information Technology is the central contact point to receive (i) alerts regarding potential cybersecurity incidents and (ii) reports from the Company’s Information Technology personnel regarding potential cybersecurity incidents. All confirmed cybersecurity events are communicated by the Vice President of Information Technology to the Corporate Controller and Vice President of Internal Audit. Material confirmed cybersecurity events are further escalated to the Chief Executive Officer and Chief Financial Officer for further review, discussion and remediation.

Company Information