CLEVELAND-CLIFFS INC. 10-K Cybersecurity GRC - 2024-02-08

Page last updated on April 11, 2024

CLEVELAND-CLIFFS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 16:09:27 EST.

Filings

10-K filed on 2024-02-08

CLEVELAND-CLIFFS INC. filed an 10-K at 2024-02-08 16:09:27 EST
Accession Number: 0000764065-24-000038

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Management of cybersecurity risks is an integral part of our overall risk management framework and is essential for safeguarding our business and data. We have developed an information security program to assess, identify and manage material risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls drawn from multiple security frameworks are developed, implemented and maintained. Our cybersecurity risk management program works to balance critical infrastructure, network, application, cloud and information security objectives with overall business objectives and risk tolerance. Specific controls that are used include endpoint threat detection and response, identity and access management, privileged access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, firewalls and intrusion detection and prevention, and vulnerability and patch management. We use threat intelligence to inform our defensive measures. We use external and internal threat intelligence sources, including information from industry vendors and government agencies. Evolving threats and risks we are also monitoring and working to protect against include artificial intelligence, ransomware and nation-state attacks. We believe in continuous improvement as part of the effort to optimize security, and we work to foster that culture through various initiatives: Cybersecurity Awareness Trainings: We educate employees on best practices for online safety and for identifying potential cybersecurity threats, including by initiating quarterly training programs for our non-represented salaried workforce. Simulated Cyberattacks: With assistance from qualified third-party experts, we periodically conduct penetration testing and tabletop exercises to test our technical controls and incident response plans. Security Monitoring: We monitor our information technology environment with both our internal cybersecurity resources and third-party service providers. We also have processes in place to monitor the cybersecurity practices of various third-party service providers, including certain vendors that have access to our information systems or sensitive data. Proactive Reporting and Investigation: As part of our training initiatives, we regularly educate employees on how to report any suspicious cyber activity or potential cybersecurity issues, and we investigate reported concerns. Third-party security firms are used in different capacities to provide or operate some of these programs, controls and technology systems, including cloud-based platforms and services. Our Board of Directors has overall oversight responsibility for our enterprise risk management program and delegates cybersecurity risk management oversight to the Audit Committee of the Board of Directors. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Management, including the Chief Information Officer with support from our cybersecurity team, updates the Audit Committee on at least a biannual basis regarding our cybersecurity programs and material cybersecurity risks and mitigation strategies. The Audit Committee also regularly reports on discussions regarding cybersecurity risks to our full Board of Directors. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Information Officer, who receives reports from our cybersecurity team and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. Our cybersecurity team includes personnel that have obtained credentials from the International System Security Certification Consortium and the SANS Institute, such as Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler, as well as experienced information systems security professionals and information security managers. Additionally, our internal Information Security Committee, composed of leaders from key departments, collaborates on a cross-functional basis to identify practices that can counter threats and to monitor our cybersecurity programs and our cybersecurity incident response plans. We recognize the ever-present global risk of cyberattacks from diverse threat actors, including nation-states, cybercriminals, hacktivists, insiders and organized crime. In spite of our efforts, we (or third parties we rely on) may not be able to fully, continuously and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement, but it is possible we may not implement appropriate controls if we do not recognize or we underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. Further, even events that are detected by security tools or third parties may not always be immediately understood or acted upon. While no organization is immune to attack attempts and we cannot eliminate all risks from cybersecurity threats or provide assurance that we have not experienced an undetected cybersecurity incident, in 2023 we did not identify any material cybersecurity events that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For more information about these risks, please see Part I - Item 1A. Risk Factors - IV. Operational Risks - A disruption in or failure of our IT systems, including those related to cybersecurity, could adversely affect our business operations, reputation and financial performance . 28 | CLF 2023 FORM 10-K Table of Contents

Company Information