DANA INC 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

DANA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 11:46:09 EST.

Filings

10-K filed on 2024-02-20

DANA INC filed an 10-K at 2024-02-20 11:46:09 EST
Accession Number: 0001437749-24-004751

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Dana maintains a risk management program overseen by our Executive Leadership Team. Our Senior Vice President and Chief Financial Officer and Senior Vice President, General Counsel and Secretary / Chief Compliance and Sustainability Officer (General Counsel) have responsibility for our risk management program. In addition, our Business Unit Presidents and functional leads oversee strategic and operational risks, including cybersecurity risks. Cybersecurity is a top priority, and our cybersecurity program is driven by our commitment to maintaining a strong security architecture, active governance, and robust controls. Our cybersecurity program is led by our Director of Cybersecurity and GRC (DOC) and overseen by Dana s Enterprise Cybersecurity Steering Committee (ECSC). The ECSC is sponsored by senior leaders from disciplines such as Information Technology, Legal, Human Resources, Engineering, Product Development, and Operations, and includes the Senior Vice President and Chief Information Officer (CIO); General Counsel; Senior Vice President and Chief Human Resources Officer; Senior Vice President and Chief Technology Officer; and Senior Vice President Global Operations. The ECSC is responsible for developing and overseeing strategies related to Dana s cybersecurity program. As set forth in its charter, our Technology & Sustainability Committee, comprised of independent directors, has oversight responsibilities for cybersecurity risk and includes members with significant cybersecurity experience. The DOC and CIO regularly provide updates on Dana s cybersecurity program to the Board and the Technology & Sustainability Committee. Dana s global cybersecurity team is charged with executing enterprise, product, and manufacturing cybersecurity programs and policies with a focus on security architecture, penetration testing, cyber risk management, incident response, vulnerability management, intelligence, awareness and training, and governance. Dana s cybersecurity programs utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework and leverage the International Organization for Standardization (ISO) 27001 standard for information security. Dana periodically contracts with external auditing firms to assess the maturity of Dana s cybersecurity program against the NIST Cybersecurity Framework. The results of these audits are shared with the Technology & Sustainability Committee. Dana leverages independent security ratings services assessments to aid in measuring our progress along the cybersecurity continuum as well as for measurement against peer companies. Dana s supplier risk management process incorporates cybersecurity review and assessment procedures over third-party vendors and service providers. Dana has an established cybersecurity awareness training program. Formal training on topics relating to cybersecurity is mandatory at least annually for all employees with access to the Company s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Training is supplemented by phishing awareness campaigns. In the event a high-risk cybersecurity incident is identified, our Incident Response Team will coordinate the response in accordance with our Information Security Incident Response Plan and make necessary communications to the ECSC and executive leadership. The DOC and CIO will make any required communications to the Chief Executive Officer (CEO), with the CEO making any required communications to the Board and Technology & Sustainability Committee. Our CEO, Chief Financial Officer, General Counsel and CIO are responsible for assessing such incidents for materiality, ensuring that any required notification or communication occurs and determining, among other things, whether any prohibition on the trading of our common stock by insiders should be imposed prior to the disclosure of information about a material cybersecurity event. In the last three years we have not experienced any cybersecurity incident that has been material to the results of our operations or that has caused us to incur any material expenses. 12 Table of Contents

Company Information