| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
We recognize the critical importance of maintaining
the trust and confidence of our customers, business partners, employees and other stakeholders. We engage in active oversight of cybersecurity,
a cornerstone of our comprehensive enterprise risk management (ERM) program. Our cybersecurity framework is rooted in the National Institute
of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, as well as the International Organization for Standardization and
the International Electrotechnical Commission (ISO/IEC 27001), reflecting our commitment to uphold the highest cybersecurity standards.
We align our policies, standards and practices with these benchmarks and dynamically refine them to address evolving cybersecurity threats.
Risk Management and Strategy
We maintain a cybersecurity program aligned with
NIST CSF standards designed to identify critical assets and vulnerabilities, protect them with appropriate safeguards, promptly detect
cybersecurity events, respond effectively to mitigate their impact and recover from incidents to restore services. Our cybersecurity program
is designed to safeguard the confidentiality, integrity and availability of information. Our cybersecurity risk management strategy includes:
|
● |
Governance: The Audit Committee of our Board of Directors oversees our cybersecurity risk management. Our Chief Financial Officer
and Director of Information Technology, along with key executives, have roles in governance and facilitating alignment across our organization. |
|
● |
Compliance and Standards: We design our cybersecurity program for compliance with industry-specific and other regulations (e.g.,
the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)) demonstrating our commitment to both domestic
and international information security standards. |
Technical Safeguards
We deploy technical defenses against cybersecurity
risks of attack and other incidents, including firewalls, intrusion detection and prevention systems and access controls. We refine these
measures based on our ongoing assessments, including cybersecurity threat intelligence updates.
|
● |
Incident Response and Recovery Planning: We maintain incident response and recovery frameworks, tested twice yearly through
backup restorations to critical systems, to improve our preparedness to effectively manage and mitigate cybersecurity incidents. |
|
● |
Education and Awareness: Our personnel and members of our Board of Directors undergo mandatory periodic training on cybersecurity
threats, with updated insights into effective defense mechanisms and our evolving cybersecurity policies and practices. |
|
● |
Use of Third Parties: We collaborate with external cybersecurity service providers, including
auditors, consultants and governmental agencies, to refine our cybersecurity measures. These service providers carry out cybersecurity
risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. In
addition, we employ third-party technology and other solutions to enhance our protection against cybersecurity risks. These solutions
include our use of a managed security service provider to support our in-house technology team, an endpoint detection and response, or
EDR, system for ongoing surveillance, detection, and action against threats, as well as a security information and event management, or
SIEM, system designed to automate the real time identification, investigation and prioritization of critical alerts.
|
|
● |
Third-Party Risk Management: We use a comprehensive due diligence process to manage third-party risks, emphasizing continuous
monitoring and to ensure our business partners’ cybersecurity practices meet our stringent standards. |
As of the filing of this report, we do not believe
that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or
are reasonably likely to materially affect Alto Ingredients, Inc.
Governance
|
● |
We take a comprehensive and forward-looking approach to cybersecurity risk management under the oversight of our Audit Committee.
Management, including our Chief Financial Officer and our Director of Information Technology, provide regular updates to ensure a strategic,
unified response to cybersecurity challenges. Management is notified of, and monitors, cybersecurity incidents through our EDR and SIEM
systems. |
|
● |
Our Director of Information Technology has over 20 years of experience in information technology and five years of experience serving
as a Virtual Chief Information Security Officer for other organizations. |
|
● |
Our networks and systems are continuously monitored by a combination of third-party service providers and an internal cybersecurity
team. Management is promptly notified of cybersecurity incidents. |
|
● |
Our Audit Committee is promptly notified by our management of any material cybersecurity breach. |
|
● |
Our Board of Directors is briefed at least quarterly on the state of our cybersecurity program. |
|
● |
Our internal cybersecurity team collaborates with external cybersecurity service providers,
including auditors, consultants and governmental agencies, to refine our cybersecurity measures. These service providers carry out cybersecurity
risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. |
Engagement and Continuous Improvement
We periodically evaluate our cybersecurity measures
through internal and external audits and assessments to ensure our cybersecurity program is at the forefront of industry best practices.
The results of these audits and assessments inform adjustments to our cybersecurity program to improve our resilience against emerging
cybersecurity threats.
|
| Cybersecurity Risk Role of Management [Text Block] |
Risk Management and Strategy
We maintain a cybersecurity program aligned with
NIST CSF standards designed to identify critical assets and vulnerabilities, protect them with appropriate safeguards, promptly detect
cybersecurity events, respond effectively to mitigate their impact and recover from incidents to restore services. Our cybersecurity program
is designed to safeguard the confidentiality, integrity and availability of information. Our cybersecurity risk management strategy includes:
|
● |
Governance: The Audit Committee of our Board of Directors oversees our cybersecurity risk management. Our Chief Financial Officer
and Director of Information Technology, along with key executives, have roles in governance and facilitating alignment across our organization. |
|
● |
Compliance and Standards: We design our cybersecurity program for compliance with industry-specific and other regulations (e.g.,
the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)) demonstrating our commitment to both domestic
and international information security standards. |
Technical Safeguards
We deploy technical defenses against cybersecurity
risks of attack and other incidents, including firewalls, intrusion detection and prevention systems and access controls. We refine these
measures based on our ongoing assessments, including cybersecurity threat intelligence updates.
|
● |
Incident Response and Recovery Planning: We maintain incident response and recovery frameworks, tested twice yearly through
backup restorations to critical systems, to improve our preparedness to effectively manage and mitigate cybersecurity incidents. |
|
● |
Education and Awareness: Our personnel and members of our Board of Directors undergo mandatory periodic training on cybersecurity
threats, with updated insights into effective defense mechanisms and our evolving cybersecurity policies and practices. |
|
● |
Use of Third Parties: We collaborate with external cybersecurity service providers, including
auditors, consultants and governmental agencies, to refine our cybersecurity measures. These service providers carry out cybersecurity
risk evaluations such as periodic assessments and vulnerability scans to pinpoint potential security flaws and suggest enhancements. In
addition, we employ third-party technology and other solutions to enhance our protection against cybersecurity risks. These solutions
include our use of a managed security service provider to support our in-house technology team, an endpoint detection and response, or
EDR, system for ongoing surveillance, detection, and action against threats, as well as a security information and event management, or
SIEM, system designed to automate the real time identification, investigation and prioritization of critical alerts.
|
|
● |
Third-Party Risk Management: We use a comprehensive due diligence process to manage third-party risks, emphasizing continuous
monitoring and to ensure our business partners’ cybersecurity practices meet our stringent standards. |
As of the filing of this report, we do not believe
that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or
are reasonably likely to materially affect Alto Ingredients, Inc.
|