Howmet Aerospace Inc. 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

Howmet Aerospace Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 17:05:19 EST.

Filings

10-K filed on 2024-02-13

Howmet Aerospace Inc. filed an 10-K at 2024-02-13 17:05:19 EST
Accession Number: 0000004281-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity is a critical component of the Company s overall enterprise risk management program. Howmet has implemented a framework of principles, policies and technology designed to protect our systems and data from cybersecurity threats. The Company s Board of Directors (the Board ), through its Cybersecurity Committee, is actively engaged in overseeing and reviewing the Company s cybersecurity programs and risk management. Although past cybersecurity incidents did not have a material impact on the Company, including our strategy, financial condition or results of operations, the scope and impact of any future cybersecurity threat or incident cannot be predicted. See Part I , Item 1A. (Risk Factors) for more information on how material cybersecurity incidents may impact the Company. Howmet has implemented a multi-faceted cybersecurity risk management framework, which includes progressing toward achievement of the Cybersecurity Maturity Model Certification to certify the Company s compliance with certain cybersecurity standards published by the National Institute of Standards and Technology. We deploy and operate preventive and detective controls and processes to mitigate cybersecurity threats, including monitoring our network for known vulnerabilities and signs of unauthorized attempts to access our data and systems. Our approach includes conducting internal vulnerability assessments, external penetration testing and attack simulation. In addition, the Company subscribes to third-party managed security service providers that continuously monitor the Company s systems to assist with early cybersecurity threat detection and protection. Howmet conducts cybersecurity risk assessments of key vendors and other counterparties for any potential risks. Risk-based action plans are further developed to take into account evolving threats, which result in recommendations for new protocols and infrastructure. The Company has a robust program of employee education on the prevention of unauthorized access to Company information and systems. The Company’s cybersecurity risk management is integrated in our overall risk management processes. Our enterprise risks, including cybersecurity risks, are reviewed on a biannual basis. The review involves participation and engagement by, among others, subject matter experts like the Company s Chief Information Security Officer ( CISO ) and Chief Information Officer ( CIO ), the presidents of the Company s business segments, and executive management. Mitigation plans are deployed across the Company with cross-functional collaboration as applicable. Enterprise risk management is reviewed with the Board annually. The Cybersecurity Committee, which originated in 2015 as a dedicated cybersecurity subcommittee of the Audit Committee, assists the Board in its oversight of the Company s cybersecurity programs and risks. Its responsibilities include reviewing the state of the Company s cybersecurity, its strategy, policies, and procedures to mitigate cybersecurity risks, and any significant cybersecurity incidents. The Committee also considers the cybersecurity threat landscape and the impact of emerging cybersecurity developments and regulations that may affect Howmet. The Cybersecurity Committee currently comprises two members and meets at least quarterly with members of management, including the CISO and CIO. The Cybersecurity Committee may, from time to time, invite third-party advisors and experts as it deems appropriate. Pursuant to guidelines adopted by the Cybersecurity Committee, management is required to report immediately to the Chair of the Cybersecurity Committee upon the occurrence of certain cybersecurity incidents and ransomware demands. The Cybersecurity Committee reports to the full Board after each of its meetings and as needed regarding the cybersecurity risks, incidents and other matters reviewed and considered by the Committee. 16 Table of Contents The Company s CISO leads management s assessment, prevention and management of cybersecurity risks. The CISO reports to the CIO who has responsibility for the usability, implementation and management of our information and computing systems. Both bring to their roles extensive experience in information technology and cybersecurity: The Company s CISO joined the Company in 2022. The CISO has over 20 years of experience in information technology, cybersecurity and physical security management, including as Cybersecurity Operations Director at United States Steel Corporation (2020-2022); Director, Global Information Security and Compliance at Kennametal, Inc. (2018-2020); and Global Chief Information Security Officer/HIPAA Security Officer at Westlake Chemical (2013-2017). The CISO holds a Bachelor of Sciences degree in Information Systems Management from Carlow University and a Master of Sciences degree in Information Systems from Robert Morris University, and is a Certified Systems Security Professional. The Company s CIO joined the Company in 2021. The CIO has over 20 years of experience in information technology, including, most recently, as Vice President Global IT and Chief Information Officer at Varroc Lighting Systems (2018-2021) and Chief Information Officer at AM General LLC (2016-2018). The CIO holds a Bachelor of Engineering degree in Industrial Engineering from Universidad de Lima. In the event of a potential material cybersecurity incident or ransomware demand, Howmet has adopted a policy to respond to such event, which includes protocols and procedures to, among other things, escalate the incident or demand, form a core cross-functional response leadership team (including the CISO and CIO) to assess severity, formulate response and remediation, and determine any required reporting or notifications. 17 Table of Contents

Company Information