Axalta Coating Systems Ltd. 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

Axalta Coating Systems Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 10:49:21 EST.

Filings

10-K filed on 2024-02-15

Axalta Coating Systems Ltd. filed an 10-K at 2024-02-15 10:49:21 EST
Accession Number: 0001616862-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The availability of our products and services and fulfillment of our customer obligations depend on the continuing operation of our information technology and communications systems. Accordingly, cybersecurity represents a critical component of the Company s overall approach to risk management. The Company s cybersecurity policies, standards and practices are integrated into the Company s enterprise risk management ( ERM ) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by the Board, as described below, acting through the Audit Committee. The Company s cybersecurity policies, standards and practices leverage recognized frameworks established by the International Organization for Standardization. The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the goals of implementing and maintaining preventative controls, identifying and monitoring threats and maximizing chances of recovery in the case of a cybersecurity incident. The Company periodically engages assessors, consultants, auditors and other third parties to assess our cybersecurity programs, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The Company attempts to adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. In engaging with third-party providers that will have access to certain sensitive Company data, the Company performs a cross-functional due diligence review and attempts to identify risks posed by engaging such third-party providers, and, where feasible, seeks to obtain contractual commitments from such third parties with respect to such engagement. The Company maintains cybersecurity insurance with coverage for security incident response expenses, certain losses due to network security failures, investigation expenses, privacy liability and certain third-party liability, subject to certain deductibles, exclusions and policy limits. Governance and Oversight The Board and the Audit Committee are responsible for overseeing the Company s ERM processes, with the Audit Committee being tasked with overseeing cybersecurity risks facing the Company. Throughout the year, the Audit Committee receives relevant updates from management on cybersecurity matters, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the overall threat environment, technological trends, global employee training and efforts to enhance the Company s cybersecurity capabilities and preparedness. Relevant matters are also reviewed with the full Board on at least an annual basis. The Company s Chief Information and Digital Officer (the CIDO ), who reports directly to the Senior Vice President, Chief Financial Officer, is the member of the Company s management that is principally responsible for overseeing the Company s cybersecurity risk management programs, in partnership with business and functional leaders across the Company. The CIDO has 23 years of experience in the information technology and cybersecurity field, including previous roles in security architecture, audit, compliance, and governance. Under the oversight of the CIDO, members of the Company s Information Technology and Compliance departments administer the Company’s cybersecurity response policies, including assessing cybersecurity incidents as they occur and determining the severity of any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company s policies. These teams report to an incident response governance team, which is composed of members of the Company s senior leadership team. These teams monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report incidents to the Audit Committee, as appropriate. For additional information regarding how cybersecurity threats have affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see Part I, Item 1A, Risk Factors General Risk Factors Interruption, interference with, or failure of our information technology and communications systems could hurt our ability to effectively provide our products and services, which could harm our reputation, financial condition, operating results and cash flows . 29 Table of Contents

Company Information