CF Industries Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

CF Industries Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:33:13 EST.

Filings

10-K filed on 2024-02-22

CF Industries Holdings, Inc. filed an 10-K at 2024-02-22 16:33:13 EST
Accession Number: 0001324404-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity risk management, including our processes for assessing, identifying and managing material risks from cybersecurity threats, is an integral part of our overall enterprise risk management (ERM) program. The ERM program includes an annual assessment process designed to identify risks, including those from cybersecurity threats, that could affect us and the achievement of our objectives; to understand, assess, and prioritize those risks; and to facilitate the implementation of risk management strategies and processes across the company that are responsive to the company s risk profile, business strategies, and specific material risk exposures. The ERM program seeks to integrate consideration of risk and risk management into business decision-making throughout the company, including through the implementation of policies and procedures intended to ensure that necessary information with respect to material risks, including material risks from cybersecurity threats, is transmitted to senior executives and, as appropriate, to the Board of Directors (Board) or relevant committees. The Board regularly reviews and discusses with the key members of management responsible for management of risk the guidelines and policies governing the ERM process, the key risks identified in the ERM process, the likelihood of occurrence and the potential impact assigned to those risks by management, and the risk mitigation strategies in each instance. The Audit Committee of the Board provides oversight in connection with management s cybersecurity efforts. The Audit Committee receives periodic reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to cybersecurity. The Audit Committee also receives regular reports on the efficacy of our cybersecurity risks and related policies and procedures from our chief information officer and other members of senior management who are tasked with monitoring cybersecurity risks. Our chief information officer oversees a dedicated team of certified cybersecurity professionals, with an average of over 12 years of relevant experience. Our cybersecurity strategy prioritizes protection, detection, analysis, and response to known, anticipated or unexpected cyber threats, effective management of cyber risks and resilience against cyber incidents. We maintain a formal cybersecurity program structured around the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), a voluntary framework created by industry and the U.S. government to promote the protection of our infrastructure from cybersecurity risks. We contract with an external auditing firm to assess our cybersecurity controls relative to industry peers using the NIST CSF, which has five functions: identify, protect, detect, respond and recover. We consistently evaluate the threat landscape, adopting a multifaceted approach to cybersecurity risks through a zero-trust strategy focusing on prevention, detection, and mitigation, which includes the following programs and practices: Our cybersecurity team conducts an annual review of cybersecurity risks at the ERM level, integrating significant cybersecurity risks into our overall ERM program. We remain committed to increasing investments in cybersecurity, which includes providing additional training for end-users, adopting a zero-trust methodology, identifying and safeguarding critical assets, and reinforcing monitoring and alerting capabilities. Our proactive approach involves regular testing of defenses through simulations and penetration tests, both technically and through a comprehensive review of operational policies and procedures. At the managerial level, our cybersecurity team consistently monitors alerts and holds regular meetings to discuss threat levels, trends, and remediation strategies. Additionally, we conduct periodic external penetration tests and maturity testing to assess the effectiveness of our security controls, including processes, procedures, and our readiness to face the evolving threat landscape. We consider and assess the cybersecurity risks associated with the utilization of third-party service providers under our third-party risk management program. Pursuant to the program, we evaluate security and data privacy controls prior to sharing or authorizing the hosting of sensitive data in computing environments managed by third parties. In addition, our standard terms and conditions with third-party service providers feature contractual provisions mandating specific security protections. Our cybersecurity incident response plan is designed to detect and address potential threats that may impact the confidentiality, integrity, and availability of our technology systems. The response plan includes coordinated processes for handling security and data privacy incidents, encompassing communication and effective response. Our global business continuity program includes information technology disaster recovery, supporting resilience in both our business and information technology. To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or that we believe are reasonably likely to materially affect our business strategy, results 28 Table of Contents CF INDUSTRIES HOLDINGS, INC. of operations, or financial condition. We cannot, however, eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, see the disclosure in Item 1A. Risk Factors under Operational Risks We are subject to risks relating to our information technology systems, and any technology disruption or cybersecurity incident could negatively affect our operations.

Company Information