|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity processes to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our approach to assessing, prioritizing, and effecting cybersecurity processes and projects is based on standards from the National Institute of Standards and Technology ("NIST").
We have established an enterprise risk management ("ERM") program that considers our enterprise strategy, information from internal stakeholders, and information from external sources (e.g., emerging risks and trends, evaluations by third parties, and best practices) to identify, assess, categorize, and monitor risks including cybersecurity risks. The ERM program develops enterprise risk profiles to address individual risk drivers, develop action plans, and monitor against key risk indicators. At least annually, the ERM program is presented to our Board, Audit Committee, and members of management.
We have strategically integrated cybersecurity risk management into our broader ERM program to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes. Our strategy includes regular employee training and awareness on cybersecurity risks and related best practices, required password complexity, the use of multi-factor authentication, information security protocols, anti-virus and anti-ransomware software, a patch management program, the execution of tabletop exercises on a periodic basis, established policies and protocols for cyber incident response planning and reporting, and ongoing internal cybersecurity testing. Our risk management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.
We test our ability to respond to cybersecurity incidents on a recurring basis. Additionally, we engage third-party service providers to assist with the ongoing monitoring for cybersecurity events and incidents, as well as to complete risk quantification analysis and perform penetration and vulnerability testing. If any gaps are identified, the third-party service providers also assist with incident assessment and response. We conduct thorough up-front security assessments of all third-party providers before engagement, led by our Vice President, Chief Information Office ("CIO") and our cybersecurity team, and we maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This approach is designed to mitigate risks related to security incidents originating from third parties.We have not encountered cybersecurity incidents or identified risks from cybersecurity threats that have materially impaired our operations or financial standing.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have strategically integrated cybersecurity risk management into our broader ERM program to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Audit Committee is central to the Board's oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of Board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee is central to the Board's oversight of cybersecurity risks and bears the primary responsibility for this domain.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Vice President, CIO provides comprehensive quarterly briefings to the Audit Committee. These briefings encompass a broad range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.In addition to our quarterly meetings, the Audit Committee, CIO and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.
|Cybersecurity Risk Role of Management [Text Block]
|
Within our organization, we have a management team responsible for assessing and managing cybersecurity risks. The team is led by our CIO and consists of the Cyber Security Incident Response Team ("CSIRT") and internal audit personnel. The CSIRT is comprised of IT management and experienced cybersecurity personnel. The role of the CSIRT is to promptly handle an incident so that containment, investigation, and recovery can occur quickly. Where third-party services are leveraged, they ensure they are
engaged as necessary. The CSIRT Leader oversees and prioritizes actions during an incident's detection, analysis, and containment. They are also responsible for conveying the special requirements of high severity incidents to the rest of the organization as well as communicating potential impacts to the CIO. Additionally, they are responsible for understanding the service level agreements ("SLAs") in place with third parties, and the role third parties may play in specific response scenarios. Effective February 2, 2024, our CIO retired from employment and continued to serve as our CIO as a contractor through May 2024. During that time, he continued his existing duties including oversight and management of cybersecurity risk. In June 2024, the Company announced the hiring of a new CIO who will lead the enterprise technology team. The new CIO has over 30 years of experience in IT, enterprise security, and cyber risk management and has previously held global IT infrastructure and business solutions roles. In addition, our CSIRT Leader has 30 years of technology and cybersecurity experience and has previously held data security and global IT infrastructure positions at risk management and asset protection services companies.
The CIO and CSIRT, in combination with the Senior Vice President, Chief Transformation Officer and CEO, play a pivotal role in informing the Audit Committee of the Board of Directors on cybersecurity risks. The Audit Committee is central to the Board's oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of Board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
The Vice President, CIO provides comprehensive quarterly briefings to the Audit Committee. These briefings encompass a broad range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.
In addition to our quarterly meetings, the Audit Committee, CIO and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. The CIO and CEO provide updates on any significant developments in the cybersecurity domain, ensuring the Board's oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, as well as tabletop exercises for tactical response readiness. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Tennant Company. The Audit Committee conducts an annual review of the Company's cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Within our organization, we have a management team responsible for assessing and managing cybersecurity risks. The team is led by our CIO and consists of the Cyber Security Incident Response Team ("CSIRT") and internal audit personnel. The CSIRT is comprised of IT management and experienced cybersecurity personnel.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The new CIO has over 30 years of experience in IT, enterprise security, and cyber risk management and has previously held global IT infrastructure and business solutions roles. In addition, our CSIRT Leader has 30 years of technology and cybersecurity experience and has previously held data security and global IT infrastructure positions at risk management and asset protection services companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Vice President, CIO provides comprehensive quarterly briefings to the Audit Committee. These briefings encompass a broad range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.In addition to our quarterly meetings, the Audit Committee, CIO and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. The CIO and CEO provide updates on any significant developments in the cybersecurity domain, ensuring the Board's oversight is proactive and responsive.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef