Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity risk management - We devote significant resources to network security, data encryption, employee training, monitoring of networks and systems, patching, maintenance and backup of systems and data. We also follow best practices for IT and data security as our IT controls are aligned with DFARS / NIST 800-171 IT Security Standard for US Government Contractors. Although there have been no cybersecurity incidents that have been material to the Company to date, cyber-attacks are continually becoming more sophisticated, and our IT network is still potentially vulnerable to threats and incidents in the future. As part of our cybersecurity risk management processes, we maintain an incident response plan that establishes a set of procedures for reporting and handling cybersecurity events

To assure long-term success, Luxfer is committed to discovering and preparing for all potential cybersecurity threats. We set out below certain mitigating actions that we believe help us manage our principal cybersecurity risks.

Risk

Risk Description

Management of Risk

Network and Systems

Luxfer’s operations are increasingly dependent on IT systems and management of information, and a cyber-attack could inhibit our business operations including disruption to sales, production and cash flows.

Luxfer has a wide breadth of controls in place to protect against cyber-attacks including firewalls, threat monitoring systems, protected cloud architecture, and more frequent security patching. We have phased out vulnerable operating systems and updated legacy servers with advanced security. Applications that run and manage our core operating data are fully backed up.

Employee Error or Misuse

As cyber-attacks and phishing scams are becoming more advanced, employees may fail to recognize the signs of a cyber-attack or rely solely on the Company’s IT defenses.

We have global policies covering IT security standards, annual training modules for employees. We also train our employees on cybersecurity through phishing simulations.

Third-Party Cybersecurity Measures

In part, we depend on the reliability of certain tested third parties’ cybersecurity measures, including firewalls, virus solutions and backup solutions. Our business may be affected if these third-party resources are compromised.

Our IT Steering Committee performs thorough due diligence and risk analyses on third party vendors, verifying that sufficient security testing is performed on all software before installation on Luxfer’s network. The IT Steering Committee also monitors and reviews access and permissions to all software and programs regularly.

Regulations

We are required to comply with the UK General Data Protection Regulation (GDPR) relating to the security of personally identifiable information that we process. A data breach can result in non-compliance with the GDPR, leading to fines or litigation.

We make every effort to comply with the GDPR and implement best practices including annual review of our Data Protection Policy. We also train employees to maintain secure systems, and access control measures, and regularly monitor and test our networks to protect data, payment information, and personally identifiable information.

Training and compliance - Our employees are a key line of defense against cybersecurity threats and malicious actors. In addition to our IT Policies, Luxfer has a comprehensive cybersecurity training and awareness program to educate employees on how to recognize cybersecurity threats, prevent cyber-related incidents, and how to report a potential threat or breach. Our online compliance training program is mandatory for all employees worldwide, and includes cybersecurity awareness and IT security trainings, along with other compliance and governance related topics. Within each training module, employees are required to review a Company IT policy applicable to the topic of the training, and attest that they have read, understood, and agree to comply with the Policy.

Luxfer’s IT Steering Committee continues to carry out internal phishing simulations to engage employees with cybersecurity, raise awareness, and educate employees on how to recognize and report phishing attacks. Through the simulations, we are able to test our employees’ reaction to phishing emails and collect important metrics such as click rate. Data collection allows us to pinpoint trouble spots and target additional trainings to specific teams or locations. This information is also reported once to Luxfer’s Senior Leadership Team and is an important supplement to our overall IT security training program.

Security audits and assessments - We perform periodic security audits and assessments to test our cybersecurity program. These efforts span across our cybersecurity program, including but not limited to audits, and assessments. We regularly engage appropriately qualified independent third parties to assess our cybersecurity program, including cybersecurity maturity assessments, and independent review of our security control environment and operating effectiveness.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

We devote significant resources to network security, data encryption, employee training, monitoring of networks and systems, patching, maintenance and backup of systems and data. We also follow best practices for IT and data security as our IT controls are aligned with DFARS / NIST 800-171 IT Security Standard for US Government Contractors.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board's Role - As a part of its regular risk oversight, Luxfer’s Board of Directors is responsible for overseeing cybersecurity, information security, and technology risk. The Board is comprised of independent Non-Executive Directors, and one Executive Director. Luxfer’s Senior Leadership team provides regular reports on information security matters at least quarterly to the Board, as it is their responsibility to oversee Management’s actions to identify, access, mitigate and remediate material risk.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Luxfer’s cybersecurity program is managed by our IT Steering Committee.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

IT Managers, who have operational responsibility for the actions of the Committee, ensure the effective implementation of the Company IT policies and also manage the local IT teams to ensure they are appropriately supported. Local IT teams have the day-to-day responsibility for implementing and monitoring the operation of Company IT policies within their respective business units. IT personnel within the Company are qualified within their respective roles and are provided with the resource to carry out their responsibilities effectively.

Cybersecurity Risk Role of Management [Text Block]

Management's Role - Luxfer’s cybersecurity program is managed by our IT Steering Committee. Comprised of IT Managers from across the company and chaired by a member of Luxfer's executive leadership team, the IT Steering Committee maintains the vision, strategy, and operation of Luxfer’s cybersecurity program. IT Managers, who have operational responsibility for the actions of the Committee, ensure the effective implementation of the Company IT policies and also manage the local IT teams to ensure they are appropriately supported. Local IT teams have the day-to-day responsibility for implementing and monitoring the operation of Company IT policies within their respective business units. IT personnel within the Company are qualified within their respective roles and are provided with the resource to carry out their responsibilities effectively.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Luxfer’s cybersecurity program is managed by our IT Steering Committee.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

IT personnel within the Company are qualified within their respective roles and are provided with the resource to carry out their responsibilities effectively.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Luxfer’s Senior Leadership team provides regular reports on information security matters at least quarterly to the Board, as it is their responsibility to oversee Management’s actions to identify, access, mitigate and remediate material risk.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true