O-I Glass, Inc. /DE/ 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

O-I Glass, Inc. /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 16:31:33 EST.

Filings

10-K filed on 2024-02-14

O-I Glass, Inc. /DE/ filed an 10-K at 2024-02-14 16:31:33 EST
Accession Number: 0001558370-24-001165

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company has developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of its critical systems and information. The Company assesses its program based on guidance from the National Institute of Standards and Technology ( NIST ). This does not imply that the Company meets any particular technical standards, specifications, or requirements, only that the Company uses the NIST as a guide to help it identify, assess, and manage cybersecurity risks relevant to its business. The Company s cybersecurity risk management program is integrated into its overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Company s cybersecurity risk management program includes the following, among other things: risk assessments designed to help identify material cybersecurity risks to the Company s critical systems and information; 23 Table of Contents cross-functional teams responsible for managing the Company’s (1) cybersecurity risk assessment processes, (2) security controls, and (3) response to cybersecurity incidents; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of the Company s security processes and controls; cybersecurity awareness training of the Company s employees, incident response personnel, and senior management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and a third-party risk management process for certain service providers based on the Company s assessment of their criticality to its business and risk profile. The Company has not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected the Company, including its operations, business strategy, results of operations, or financial condition. The Company faces certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect the Company, including its operations, business strategy, results of operations, or financial condition. See Risk Factors Risks Related to Information Technology, Cybersecurity and Data Privacy. Cybersecurity Governance The Company s Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to its Audit Committee (the Committee ) oversight of cybersecurity and other information technology risks. The Committee oversees management s implementation of the Company s cybersecurity risk management program. The Committee receives quarterly reports from management on the Company s cybersecurity risks. In addition, management updates the Committee, as necessary, regarding cybersecurity incidents as determined by its Chief Information Officer (the CIO ). The Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. The full Board of Directors also receives briefings from management on the Company s cybersecurity risk management program. Members of the Board of Directors receive presentations on cybersecurity topics from the CIO or external experts as part of the Board s continuing education on topics that impact public companies. The Company s management team is responsible for assessing and managing the Company s material risks from cybersecurity threats. The Company has a Cybersecurity Steering Committee comprised of members of management, including the CIO and the Company s Director of Cybersecurity, as well as other subject matter experts throughout the Company. The Cybersecurity Steering Committee has primary responsibility for the Company s overall cybersecurity risk management program and supervises both internal cybersecurity personnel and retained external cybersecurity consultants. The experience of the members of the Cybersecurity Steering Committee includes its CIO, who has 37 years of IT experience across various industries, including 32 years in manufacturing, and who is a member of the National Association of Manufacturer s Cybersecurity Advisory Council, and its Director of Cybersecurity, who has 28 years of IT experience, including seven years leading the Company s Cybersecurity Team of IT security professionals, and who is a member of the Information Systems Audit and Control Association and the International Information System Security Certification Consortium. 24 Table of Contents The Cybersecurity Steering Committee supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by the Company; and alerts and reports produced by security tools deployed in the IT environment. 25 Table of Contents

Company Information