AUTOLIV INC 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

AUTOLIV INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 06:39:06 EST.

Filings

10-K filed on 2024-02-20

AUTOLIV INC filed an 10-K at 2024-02-20 06:39:06 EST
Accession Number: 0000950170-24-016787

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Autoliv maintains a cybersecurity program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats as an integrated part of the Company s overall operations. The objective is to provide protection against cybersecurity threats to our employees, operations, data, and products. Cybersecurity risk management and strategy Cybersecurity risk management for the Company is undertaken both through dedicated cybersecurity risk management processes and within the Company s overall Enterprise Risk Management program, which is overseen by the Audit and Risk Committee of the Company s Board of Directors. Autoliv has established an Enterprise Risk Management framework aligned to the ISO 31000:2019 to ensure that the context, principles, and processes for risk management are embedded and integrated with the operations of the company. All risks across the Autoliv risk universe, including cybersecurity, are assessed with bottom-up risk assessments and subsequently are aggregated and reported to the Audit and Risk Committee of the Company s Board of Directors. Autoliv utilizes the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework in combination with other corresponding and partially mandated frameworks to guide cybersecurity risk management. This approach includes the identification, assessment, response, and management of risks arising from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our business, data and information systems. The Company contracts with third parties to assess Autoliv s cybersecurity program relative to its peers, utilizing the NIST framework as a baseline. Furthermore, Autoliv is pursuing, under TISAX (Trusted Information Security Assessment Exchange), an assessment and exchange mechanism for information security in the automotive industry, as well as compliance with road vehicle cybersecurity requirements as applicable to the supply chain under ISO 21434. Frequent testing/auditing activities, bottom-up cybersecurity risk assessments, vulnerability scanning, monitoring of external threat intelligence and supplier risk sources, and 24/7 incident monitoring are executed by the cybersecurity function to inform our understanding of the cybersecurity risk landscape, including solutions from third-party service providers, and what areas of enhancement to prioritize. Further input is gained from regular maturity assessments executed by third parties as well as TISAX assessments executed by external audit bodies. Autoliv combines expertise from our internal cybersecurity function with additional specialist capacities from external consultants and partners as may be from time to time. Separately, because we understand the risks associated with engaging third party vendors, such as service providers, consultants and partners, in our cybersecurity risk management processes, we conduct security assessments pre-engagement and monitor their work to mitigate any identified risks. Autoliv has not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the registrant. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with or effective in protecting our systems and information. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. For a full discussion of these cybersecurity risks, please see our Risk Factors in Item 1A. Board and management governance Management’s Role The Chief Information Security Officer (CISO) is responsible for overseeing the Company s cybersecurity practices. Our CISO joined Autoliv in 2015. He has 29 years of information technology experience, including six years as CISO. The CISO reports directly to the CFO but, in line with the corporate governance model, the CISO s activities are formally governed through a management board, the Digitalization and IT Management Board ( DITM Board ) comprised of the Chief Information Officer (CIO) and certain members of Autoliv s Executive Management Team ( EMT ) representing engineering, supply chain management, operations and manufacturing, quality and project management, finance, information technology, and divisional teams. The DITM Board meets at least quarterly with cybersecurity as a standing agenda item. In addition to the standing DITM Board meetings, the CISO, when needs arise, meets with the full EMT typically at least semi-annually to report on, or discuss, specific cybersecurity-related topics. The Cybersecurity function in Autoliv reports to the CISO. The cybersecurity function includes team members in all of the Company s divisions including technical security architects and incident response team members. The core team is supported by the broader organization with security coordinators in each plant and tech center and additional functional security experts as deemed relevant, such as in supply chain management and engineering. The function has the responsibility to operate day-to-day activities (e.g., testing, incident monitoring and response, vulnerability scanning and awareness training) as well as to drive prioritized improvements (as identified through the risk management processes), together with other relevant Autoliv functions and stakeholders. The security operations center ( SOC ), part of the Cybersecurity function, monitors Autoliv for cyber incidents 24/7. A documented incident response process and numerous documented playbooks provide the SOC guidance on how to respond for each type of incident, including categorization and principles 22 for escalation. Incidents are escalated in the organization according to defined criteria to engage a level of authority that is deemed appropriate, such as the Corporate Crisis Management Team if necessary. Board of Directors Oversight Our Board, in coordination with the Audit and Risk Committee, oversees the Company s Enterprise Risk Management process, including the management of risks arising from cybersecurity threats. Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit and Risk Committee. Both the Board and the Audit and Risk Committee periodically review the measures we have implemented to identify and mitigate cybersecurity risks. The Audit and Risk Committee receives information from the CISO and other members of management on at least a quarterly basis which is supplemented by a more extensive briefing from the CISO and management on at least a semi-annual basis on cybersecurity matters, including updates on cybersecurity training programs and the results of external assessments, as applicable. The CISO provides at least an annual briefing to the Board of Directors on these same topics. The routine reporting to the Audit and Risk Committee and the Board includes as appropriate the highlights from the full spectrum of work done within the Company s cybersecurity program. The briefings by the CISO to the Audit and Risk Committee and Board also include the review of certifications and cybersecurity maturity assessments by management and third parties. 23

Company Information