CATERPILLAR INC 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

CATERPILLAR INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 10:05:13 EST.

Filings

10-K filed on 2024-02-16

CATERPILLAR INC filed an 10-K at 2024-02-16 10:05:13 EST
Accession Number: 0000018230-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As required by Item 106 of Regulation S-K, the following sets forth information regarding our cybersecurity strategy, risk management and governance. 19 Cybersecurity Strategy and Risk Management Cybersecurity is critical to advancing our overall objectives and enabling our digital efforts. As a global company, we face a wide variety of cybersecurity threats that range from common attacks such as ransomware and denial-of-service, to attacks from more advanced adversaries. Our customers, suppliers, and other partners face similar cybersecurity threats, and a cybersecurity incident impacting these entities could materially adversely affect our operations, performance and results. These cybersecurity threats and related risks make it imperative that we maintain focus on cybersecurity and systemic risks. We maintain a comprehensive cybersecurity program which is integrated within the Company s enterprise risk management system and encompasses the corporate information technology and operational technology environments as well as customer-facing products. Our cybersecurity program has implemented a governance structure and process to identify, assess, manage, mitigate, respond to and report on cybersecurity risks. We utilize cybersecurity policies and frameworks based on industry and government standards. Our cyber risk management program controls are based on recognized best practices and standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework and the International Organization for Standardization (ISO 27001) Information Security Management System Requirements. We partner with third parties to support and evaluate our cybersecurity program. These third-party services span areas including cybersecurity maturity assessments, incident response, penetration testing, consulting on best practices, and others. We also consume threat intelligence from several paid and non-paid sources. We maintain a 24 x 7 operations center which serves as a central location for the reporting of cybersecurity matters, provides monitoring of our global cybersecurity environment, and coordinates the investigation and remediation of alerts. As cybersecurity events occur, the cybersecurity team focuses on responding to and containing the threat and minimizing impact. In the event of an incident, the cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with participation from technical, legal and law enforcement support, as appropriate. We have implemented a cybersecurity awareness program which covers topics such as phishing, social networking safety, password security and mobile device usage. We have mandatory training in the areas of cybersecurity, privacy, and confidential information handling. We also conduct regular phishing training and simulations for our employees and contractors. We provide extensive specialized role-based training to technical professionals in cybersecurity, secure application development, and other focus areas. We also conduct periodic tabletop exercises to validate our preparation for cyber events. We operate a third-party cybersecurity program with the goal of minimizing disruption to the Company s business and production operations, strengthening supply chain resilience, and supporting the integrity of components and systems used in its products and services. We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or joint venture partner could materially adversely impact us. We assess third-party cybersecurity controls through a cybersecurity third-party risk assessment process. Identified deficiencies are addressed through a risk remediation process. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified. As of the date of this report, we do not believe that risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. That said, as discussed more fully under Item 1A. Risk Factors Operational Risks Increased information technology security threats and more sophisticated computer crime pose a risk to our systems, networks, products and services of this Form 10-K, these threats pose a risk to the security of our systems and networks and the confidentiality, availability and integrity of our data. Cybersecurity attacks could also include attacks targeting customer data or the security, integrity and/or reliability of the hardware and software installed in our products. It is possible that our information technology systems and networks, or those managed or provided by third parties, could have vulnerabilities, which could go unnoticed for a period of time. While various procedures and controls have been and are being utilized to mitigate such risks, there can be no guarantee that the actions and controls we have implemented and are implementing, or which we cause or have caused third-party service providers to implement, will be sufficient to protect and mitigate associated risks to our systems, information or other property. Cybersecurity Governance Caterpillar s board has oversight for risk management with a focus on the most significant risks facing the Company, including strategic, operational, financial and legal compliance risks. The board s risk oversight process builds upon management s risk assessment and mitigation processes, which include an enterprise risk management program of which our cybersecurity processes are an integral component. 20 The board implements its risk oversight function both as a board and through delegation to board committees, which meet regularly and report back to the board. The board has delegated the oversight of specific risks to board committees that align with their functional responsibilities. The Audit Committee (the AC ) assists the board in overseeing the enterprise risk management program and evaluates and monitors risks related to, among other things, the Company s information security program. The AC assesses cybersecurity and information technology risks and the controls implemented to monitor and mitigate these risks. The Company s Chief Information Officer & Senior Vice President, Caterpillar IT (the CIO ) attends all bimonthly AC meetings and provides cybersecurity updates to the AC and board. Our cybersecurity program is overseen by our CIO, who has been a Caterpillar employee for nearly twenty-five years. Prior to her current appointment as our CIO in September 2020, she was the Chief Information Officer for the Company s Financial Products Division. Her extensive background in IT includes global leadership for large-scale systems transformations, cybersecurity, cloud and application management, global data center management, worldwide network, servers and storage, database management and end-user services. Our CIO leads a cross-functional cybersecurity team comprised of professionals from our product, cybersecurity, legal and compliance organizations who focus on managing the security of our connected solutions. This team manages the Company s global IT systems, IT risk management, cybersecurity, global infrastructure and IT transformations. Item 1D. Executive Officers of the Registrant. Name and age Present Caterpillar Inc. position and date of initial election Principal positions held during the past five years if other than Caterpillar Inc. position currently held D. James Umpleby III (65) Chairman of the Board (2018) and Chief Executive Officer (2017) Group President (2013-2016) Andrew R.J. Bonfield (61) Chief Financial Officer (2018) Group Chief Financial Officer for a multinational electricity and gas utility company (2010-2018) Bob De Lange (54) Group President (2017) Vice President (2015-2016), Worldwide Product Manager, Medium Wheel Loaders, (2013-2014) Denise C. Johnson (57) Group President (2016) Vice President (2012-2016) Joseph E. Creed (48) Chief Operating Officer (2023) Group President (2021-2023), Vice President, Oil & Gas and Marine Division (2019-2020), Interim Chief Financial Officer (2018), Vice President, Finance Services Division (2017), Group Chief Financial Officer, Energy and Transportation (2013-2016) Anthony D. Fassino (53) Group President (2021) Vice President, Building Construction Products (2018-2020), Director of Worldwide Forestry Products (2016-2018) Derek R. Owens (50) Chief Legal Officer and General Counsel (2023) Senior Vice President (2023), Deputy General Counsel (2021-2023), Associate General Counsel, Litigation & Investigations (2019-2021), Assistant United States Attorney, U.S. Attorney’s Office of the Department of Justice (2005-2019) Cheryl H. Johnson (63) Chief Human Resources Officer (2017) Executive Vice President of Human Resources for a global multi-industry aerospace, defense and industrial manufacturing company (2012-2017) William E. Schaupp (52) Vice President and Chief Accounting Officer (2022) Finance Director, Global Finance Services Division (2021-2022) Vice President and Controller and Chief Accounting Officer of PPG Industries, Inc. (2018-2021) Jason E. Kaiser (45) Group President (2024) Senior Vice President, Electric Power Division (2021-2023), General Manager, Electric Power Division (2019-2021), Product Manager, Electric Power Division (2016-2019) 21 Table of Contents

Company Information