Aptiv PLC 10-K Cybersecurity GRC - 2024-02-06

Page last updated on April 11, 2024

Aptiv PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-06 16:03:44 EST.

Filings

10-K filed on 2024-02-06

Aptiv PLC filed an 10-K at 2024-02-06 16:03:44 EST
Accession Number: 0001521332-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Aptiv has a risk-based cybersecurity program, dedicated to protecting our data, products and information technology systems as well as data belonging to our customers, suppliers and employees. Our ability to keep our business operating effectively depends on the functional and efficient operation of information technology capabilities, both internally and externally. Our capabilities, as well as those of our customers, suppliers, partners and service providers, are crucial to our operations and may contain confidential personal information, sensitive business-related information or intellectual property. These capabilities are also susceptible to interruptions (including those caused by systems failures, cyber-attacks and other natural or man-made incidents or disasters), which may be prolonged or go undetected. Risk Management and Strategy Our cross-functional cybersecurity teams are responsible for addressing both enterprise and product cybersecurity risks. These teams, which are comprised of experts both within the organization and externally, utilize a defensive cybersecurity strategy with multiple layers of cybersecurity controls to protect our data (and data of others in our possession), systems and products. Enterprise and product cybersecurity are incorporated into the Company s overall risk management process. On a monthly basis, the Company s cross-functional Enterprise Risk Management Committee meets to discuss short-term and long-term enterprise-wide risks and necessary action plans to mitigate those risks. The Chief Information Security Officer (the CISO ) regularly presents to the Company s Enterprise Risk Management Committee on key cybersecurity risks, threats and developments, as well as the Company s strategies to mitigate those risks. Enterprise Cybersecurity The Company s Enterprise Cybersecurity team, led by the Chief Information Officer ( CIO ), is responsible for identifying, assessing the severity of, managing and remediating cybersecurity risks to the Company s information technology infrastructure. Risks are identified through vulnerability hunting, infrastructure penetration testing, threat intelligence activities and other processes defined by the infrastructure Governance, Risk and Compliance ( GRC ) assessment program utilized by the Company. Furthermore, this team seeks to reduce cybersecurity risks through a number of activities, including annual cybersecurity training for the majority of the Company s employees, phishing tests, compliance assessments, vulnerability and noncompliance remediation and the implementation and maintenance of new cybersecurity technology. Third-party service providers are also utilized by the Enterprise Cybersecurity team to play a supporting role in incident response, threat intelligence, firewall management, vulnerability management and endpoint management and detection. 27 Table of Contents Aptiv is also exposed to cybersecurity risks at third-parties, such as suppliers, customers, service providers and consultants. Third-party risk to the Company is identified through an internal third-party risk management process, which involves analyzing third parties for cybersecurity risk at onboarding and throughout the duration of their relationship with the Company. For third-parties with a high cyber risk, we also utilize external firms to monitor such third-parties for threats and to provide remediation support as needed. Product Cybersecurity The Company s Product Cybersecurity team, led by the Chief Technology Officer (the CTO ), is responsible for assessing and managing the Company s cybersecurity risk as it relates to Aptiv s product portfolio. Risks are identified through threat intelligence, security testing, including penetration testing, audits and other processes defined by the Company s product cybersecurity GRC program. The processes by which the Product Cybersecurity team manages automotive product security risks have been audited, assessed and certified as compliant with various applicable international regulatory standards by independent third-party auditors. Governance Enterprise Cybersecurity The Company s Enterprise Cybersecurity Security Operation s Center ( SOC ), which is supervised by the CIO, is responsible for identifying, assessing and managing the Company s risks from cybersecurity threats, as well as for responding to cybersecurity incidents. The SOC management team carries a diverse array of applicable cybersecurity and information technology credentials and generally has over twenty years of experience in cybersecurity. When an infrastructure cybersecurity incident occurs, the SOC initiates communications to the appropriate groups within the Company, which may include various members of the Company s management, including the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer and Chief Operating Officer. Depending on the severity and the nature of the incident, an investigation and impact mitigation protocols may be triggered. External experts or agencies may also be engaged in accordance with the Company s policies and procedures. Upon conclusion of the active investigation of an incident, the SOC is required to identify the cause of the incident, formally report to Company leadership, and initiate changes to protect against a recurrence of the incident, among other procedures. Table top exercises are also held annually and are designed to practice and validate existing incident response plans, as well as to identify the plans respective strengths and weaknesses. These exercises test the response capabilities of both technical and executive level resources, including key vice presidents, senior company leaders and cross-functional capabilities, such as with the Product Cybersecurity team as well as with the Legal, Privacy and Sales teams. Product Cybersecurity The Product Security Incident Response Team (the PSIRT ), which is supervised by the CTO, is responsible for responding to product related cybersecurity incidents, which at times involve collaborating with the Enterprise Cybersecurity SOC. The PSIRT team regularly analyzes vulnerabilities reported by threat intelligence and public vulnerability reporting databases and determines whether any of those vulnerabilities are present in the Company s products. Vulnerabilities identified are reviewed by the Vice President of Product Security on a weekly basis with involvement from the CTO and the Company s legal staff as necessary. For all vulnerabilities identified, the PSIRT reviews whether adequate mitigations are already in place. In situations where adequate mitigations are not present, the PSIRT works with the customer to address the concern which may involve adding additional mitigations to the product. Board of Directors Oversight The Company s Board of Directors (the Board ) takes an active role in risk oversight related to cybersecurity matters, primarily through the Audit Committee (the AC ), which covers enterprise cybersecurity risk, and the Innovation and Technology Committee (the ITC ), which covers product cybersecurity risk. The Board, individually and through the AC and ITC, regularly reviews relevant information technology and cybersecurity matters and receives periodic updates from information technology and cybersecurity subject matter experts as part of its risk assessment procedures, including analysis of existing and emerging risks, as well as plans and strategies to address those risks. In connection with the Board s risk management oversight responsibility, the entire Board receives a full briefing from management annually on cybersecurity matters, as well as periodic briefings based on specific requests or current events. On a regular basis, the Board also reviews the Company s enterprise risk management program, within which the Company s cybersecurity processes have been integrated, as described above. 28 Table of Contents The Board and AC regularly review the identification and management of enterprise cybersecurity risks and review regular reports from management on system vulnerabilities and security measures in effect to deter or mitigate breaches or hacking activities. The AC also reviews our guidelines and policies with respect to risk assessment and management of our major financial and information technology risk exposures, including enterprise cybersecurity, along with the monitoring and mitigation of identified exposures. The Board and ITC regularly review the identification and management of product cybersecurity risks and review regular reports from management on risks and mitigation strategies in effect to reduce product cybersecurity risk. The ITC also reviews our guidelines and policies with respect to risk assessment and management of product security risks, including both our approach toward a secure systems development lifecycle and product security incident response. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please refer to Item 1A. Risk Factors of this Annual Report on Form 10-K We face risks related to cybersecurity for both our infrastructure and products and any cybersecurity breach or failure of one or more key information technology systems, or those of third-parties with which we do business could have a material adverse impact on our business or reputation.

Company Information