Cybersecurity Risk Management and Strategy Disclosure
|
12 Months Ended |
Dec. 31, 2024 |
|---|
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] |
|
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
We recognize the critical importance of maintaining
the trust and confidence of our customers, business partners, employees and other stakeholders. We engage in active oversight of cybersecurity,
a cornerstone of our comprehensive enterprise risk management (ERM) program. Our cybersecurity framework is rooted in the National Institute
of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, as well as the International Organization for Standardization
(ISO/IEC 27001), reflecting our commitment to uphold the highest cybersecurity standards. We align our policies, standards and practices
with these benchmarks and dynamically refine them to address evolving cybersecurity threats.
Risk Management and Strategy
We maintain a cybersecurity program aligned with
NIST CSF standards designed to identify critical assets and vulnerabilities, protect them with appropriate safeguards, promptly detect
cybersecurity events, respond effectively to mitigate their impact and recover from incidents to restore services. Our cybersecurity
program is designed to safeguard the confidentiality, integrity and availability of information. Our cybersecurity risk management strategy
includes:
|
● |
Governance:
The Audit Committee of our Board of Directors oversees our cybersecurity risk management.
Our Chief Financial Officer and Director of Information Technology, along with key executives,
have roles in governance and facilitating alignment across our organization. |
|
● |
Compliance
and Standards: We design our cybersecurity program for compliance with industry-specific
and other regulations (e.g., the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA)) demonstrating our commitment to both domestic and international
information security standards. |
Technical Safeguards
We deploy technical defenses against cybersecurity
risks of attack and other incidents, including firewalls, intrusion detection and prevention systems and access controls. We refine these
measures based on our ongoing assessments, including cybersecurity threat intelligence updates.
|
● |
Incident
Response and Recovery Planning: We maintain incident response and recovery frameworks,
tested twice yearly through backup restorations to critical systems, to improve our preparedness
to effectively manage and mitigate cybersecurity incidents. |
|
● |
Education
and Awareness: Our personnel and members of our Board of Directors undergo mandatory
periodic training on cybersecurity threats, with updated insights into effective defense
mechanisms and our evolving cybersecurity policies and practices. |
|
● |
Use of Third Parties: We collaborate with external cybersecurity service providers, including auditors, consultants and governmental agencies, to refine our cybersecurity measures. These service providers carry out cybersecurity risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. In addition, we employ third-party technology and other solutions to enhance our protection against cybersecurity risks. These solutions include our use of a managed security service provider to support our in-house technology team, an endpoint detection and response, or EDR, system for ongoing surveillance, detection, and action against threats, as well as a security information and event management, or SIEM, system designed to automate the real time identification, investigation and prioritization of critical alerts. |
|
● |
Third-Party Risk Management: We use a comprehensive due diligence process to manage third-party risks, emphasizing continuous monitoring and to ensure our business partners’ cybersecurity practices meet our stringent standards. |
As of the filing of this report, we do not believe
that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or
are reasonably likely to materially affect, Alto Ingredients, Inc.
|
| Cybersecurity Risk Management Processes Integrated [Text Block] |
Our cybersecurity
program is designed to safeguard the confidentiality, integrity and availability of information.
|
| Cybersecurity Risk Management Processes Integrated [Flag] |
true
|
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] |
true
|
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] |
As of the filing of this report, we do not believe
that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or
are reasonably likely to materially affect, Alto Ingredients, Inc.
|
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] |
false
|
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
We take a comprehensive and forward-looking approach to cybersecurity risk management under the oversight of our Audit Committee. Management, including our Chief Financial Officer and our Director of Information Technology, provide regular updates to ensure a strategic, unified response to cybersecurity challenges. Management is notified of, and monitors, cybersecurity incidents through our EDR and SIEM systems.
|
| Cybersecurity Risk Role of Management [Text Block] |
Risk Management and Strategy
We maintain a cybersecurity program aligned with
NIST CSF standards designed to identify critical assets and vulnerabilities, protect them with appropriate safeguards, promptly detect
cybersecurity events, respond effectively to mitigate their impact and recover from incidents to restore services. Our cybersecurity
program is designed to safeguard the confidentiality, integrity and availability of information. Our cybersecurity risk management strategy
includes:
|
● |
Governance:
The Audit Committee of our Board of Directors oversees our cybersecurity risk management.
Our Chief Financial Officer and Director of Information Technology, along with key executives,
have roles in governance and facilitating alignment across our organization. |
|
● |
Compliance
and Standards: We design our cybersecurity program for compliance with industry-specific
and other regulations (e.g., the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA)) demonstrating our commitment to both domestic and international
information security standards. |
Technical Safeguards
We deploy technical defenses against cybersecurity
risks of attack and other incidents, including firewalls, intrusion detection and prevention systems and access controls. We refine these
measures based on our ongoing assessments, including cybersecurity threat intelligence updates.
|
● |
Incident
Response and Recovery Planning: We maintain incident response and recovery frameworks,
tested twice yearly through backup restorations to critical systems, to improve our preparedness
to effectively manage and mitigate cybersecurity incidents. |
|
● |
Education
and Awareness: Our personnel and members of our Board of Directors undergo mandatory
periodic training on cybersecurity threats, with updated insights into effective defense
mechanisms and our evolving cybersecurity policies and practices. |
|
● |
Use of Third Parties: We collaborate with external cybersecurity service providers, including auditors, consultants and governmental agencies, to refine our cybersecurity measures. These service providers carry out cybersecurity risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. In addition, we employ third-party technology and other solutions to enhance our protection against cybersecurity risks. These solutions include our use of a managed security service provider to support our in-house technology team, an endpoint detection and response, or EDR, system for ongoing surveillance, detection, and action against threats, as well as a security information and event management, or SIEM, system designed to automate the real time identification, investigation and prioritization of critical alerts. |
|
● |
Third-Party Risk Management: We use a comprehensive due diligence process to manage third-party risks, emphasizing continuous monitoring and to ensure our business partners’ cybersecurity practices meet our stringent standards. |
As of the filing of this report, we do not believe
that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or
are reasonably likely to materially affect, Alto Ingredients, Inc.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] |
true
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] |
true
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] |
Our Director of Information Technology has over 20 years of experience in information technology and five years of experience serving directly as a Chief Information Security Officer for other organizations.
|
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Governance
|
● |
We take a comprehensive and forward-looking approach to cybersecurity risk management under the oversight of our Audit Committee. Management, including our Chief Financial Officer and our Director of Information Technology, provide regular updates to ensure a strategic, unified response to cybersecurity challenges. Management is notified of, and monitors, cybersecurity incidents through our EDR and SIEM systems. |
|
● |
Our Director of Information Technology has over 20 years of experience in information technology and five years of experience serving directly as a Chief Information Security Officer for other organizations. |
|
● |
Our
networks and systems are continuously monitored by a combination of third-party service providers
and an internal cybersecurity team. Management is promptly notified of cybersecurity incidents. |
|
● |
Our
Audit Committee is promptly notified by our management of any material cybersecurity breach. |
|
● |
Our
Board of Directors is briefed at least quarterly on the state of our cybersecurity program. |
|
● |
Our
internal cybersecurity team collaborates with external cybersecurity service providers, including
auditors, consultants and governmental agencies, to refine our cybersecurity measures. These
service providers carry out cybersecurity risk evaluations such as periodic assessments and
vulnerability scans to pinpoint potential security flaws and suggest enhancements. |
|