ICAHN ENTERPRISES L.P. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

ICAHN ENTERPRISES L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 21:56:11 EST.

Filings

10-K filed on 2024-02-28

ICAHN ENTERPRISES L.P. filed an 10-K at 2024-02-28 21:56:11 EST
Accession Number: 0001558370-24-002090

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity in this Annual Report on Form 10-K. 30 Table of Contents Software implementation and upgrades at certain of our subsidiaries may result in complications that adversely impact the timeliness, accuracy and reliability of internal and external reporting. Our operating subsidiaries are operated and managed on a decentralized basis and their software is not integrated with each other or with us. Certain of our subsidiaries are currently undergoing, or in the future may undergo, software implementation and/or upgrades. Software implementation and upgrades are complex, time consuming and require significant resources. Failure to properly implement or upgrade software, including failure to recruit/retain appropriate experts, train employees, implement processes and properly bridge to legacy software, among others, may negatively impact our subsidiaries ability to properly operate their businesses and to report internally and externally, including reporting to us. As a result, we may not adequately assess the performance of our subsidiaries, properly allocate resources or report timely and accurate financial results. Investor and market sentiment towards climate change, fossil fuels, GHG emissions, environmental justice, and other Environmental, Social and Governance ( ESG ) matters could adversely affect our business and cost of capital. There have been efforts in recent years aimed at the investment community, including investment advisors, sovereign wealth funds, public pension funds, universities, and other groups, to promote the divestment of securities of companies in the energy industry, as well as to pressure lenders and other financial services companies to limit or curtail activities with companies in the energy industry. As a result, some financial intermediaries, investors, and other capital markets participants have reduced or ceased lending to, or investing in, companies that operate in industries with higher perceived environmental exposure, such as the energy industry. If we and our Energy segment are unable to meet the ESG standards or investment, lending, ratings, or other policies set by these parties, we may lose investors, investors may allocate a portion of their capital away from us, our cost of capital may increase, the price of our securities may be negatively impacted and our reputation may also be negatively affected. We or our subsidiaries may pursue acquisitions or other affiliations that involve inherent risks, any of which may cause us not to realize anticipated benefits, and we may have difficulty integrating the operations of any companies that may be acquired, which may adversely affect our operations. We may expand our existing businesses if appropriate opportunities are identified, as well as use our established businesses as a platform for additional acquisitions in the same or related areas. We and our operating subsidiaries have at times grown through acquisitions and may make additional acquisitions in the future as part of our business strategy. The full benefits of these acquisitions, however, require integration of manufacturing, administrative, financial, sales, and marketing approaches and personnel. We may invest significant resources towards realizing benefits. If we or our operating subsidiaries are unable to successfully integrate acquired businesses, we may not realize the benefits of the acquisitions, our financial results may be negatively affected, and additional cash may be required to integrate such operations. Additionally, any such acquisition, if consummated, could involve risks not presently faced by us. The existence of a material weakness in internal control over financial reporting of us or one of our consolidated subsidiaries or a recently acquired entity may adversely affect our ability to provide timely and reliable financial information necessary for the conduct of our business and satisfaction of our reporting obligations under the federal securities laws. To the extent that any material weakness or significant deficiency exists in internal control over financial reporting of us or one of our consolidated subsidiaries or a recently acquired entity, such material weakness or significant deficiency may adversely affect our ability to provide timely and reliable financial information necessary for the conduct of our business and satisfaction of our reporting obligations under the federal securities laws, that could affect our ability to remain listed on Nasdaq. Ineffective internal and disclosure controls could cause investors to lose confidence in our reported financial information, which could have a negative effect on the trading price of our depositary units or the rating of our debt. Item 1B. Unresolved Staff Comments None. 31 Table of Contents Item 1C. Cybersecurity Risk Management and Strategy We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. We and our subsidiaries depend on the accuracy, capacity, and security of our information technology systems and those used by our third-party service providers. To protect the confidentiality, integrity, and availability of our critical systems and information, we have developed and implemented a cybersecurity risk management program that includes a cybersecurity incident response plan. Our operating subsidiaries operate and manage on a decentralized basis, and their software is not integrated with each other or with us. Our cybersecurity risk management program covers our businesses and is crafted following frameworks established by the National Institute of Standards and Technology (NIST). While using these frameworks guides our approach to identifying, assessing, and managing cybersecurity risks relevant to our business, it does not imply compliance with any specific technical standards, specifications or requirements. The program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. In addition, our program emphasizes the maintenance of controls and procedures for the prompt escalation of certain cybersecurity incidents, conducting cybersecurity risk assessments, regularly assessing and deploying technical safeguards, establishing incident response and recovery plans, and mandating annual privacy and cybersecurity training for employees to enhance awareness and response to cybersecurity threats. We maintain that no identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, have materially affected or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. Governance The Board of Directors of the General Partner, along with the Board s Audit Committee, oversees the management of cybersecurity risks, receiving regular reports from management on the prevention, detection, mitigation, and remediation of cybersecurity incidents, as well as on material security risks and vulnerabilities. The Audit Committee is updated on cybersecurity risks, risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant cybersecurity incidents within our industry. The Audit Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. Board members receive presentations on cybersecurity topics from our Chief Information Officer (CIO), internal security staff or external experts as part of the Board of Directors continuing education on topics that impact public companies. Our cybersecurity governance committee led by our management team and our CIO with 15 years of experience in cybersecurity and a CISSP certification, bears the primary responsibility for assessing and managing material cybersecurity risks. Regular meetings are held to review security performance metrics, identify security risks, assess the status of security enhancements, and make recommendations on security policies, procedures, service requirements, and risk mitigation strategies.
Item 1C. Cybersecurity Risk Management and Strategy We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. We and our subsidiaries depend on the accuracy, capacity, and security of our information technology systems and those used by our third-party service providers. To protect the confidentiality, integrity, and availability of our critical systems and information, we have developed and implemented a cybersecurity risk management program that includes a cybersecurity incident response plan. Our operating subsidiaries operate and manage on a decentralized basis, and their software is not integrated with each other or with us. Our cybersecurity risk management program covers our businesses and is crafted following frameworks established by the National Institute of Standards and Technology (NIST). While using these frameworks guides our approach to identifying, assessing, and managing cybersecurity risks relevant to our business, it does not imply compliance with any specific technical standards, specifications or requirements. The program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. In addition, our program emphasizes the maintenance of controls and procedures for the prompt escalation of certain cybersecurity incidents, conducting cybersecurity risk assessments, regularly assessing and deploying technical safeguards, establishing incident response and recovery plans, and mandating annual privacy and cybersecurity training for employees to enhance awareness and response to cybersecurity threats. We maintain that no identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, have materially affected or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. Governance The Board of Directors of the General Partner, along with the Board s Audit Committee, oversees the management of cybersecurity risks, receiving regular reports from management on the prevention, detection, mitigation, and remediation of cybersecurity incidents, as well as on material security risks and vulnerabilities. The Audit Committee is updated on cybersecurity risks, risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant cybersecurity incidents within our industry. The Audit Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. Board members receive presentations on cybersecurity topics from our Chief Information Officer (CIO), internal security staff or external experts as part of the Board of Directors continuing education on topics that impact public companies. Our cybersecurity governance committee led by our management team and our CIO with 15 years of experience in cybersecurity and a CISSP certification, bears the primary responsibility for assessing and managing material cybersecurity risks. Regular meetings are held to review security performance metrics, identify security risks, assess the status of security enhancements, and make recommendations on security policies, procedures, service requirements, and risk mitigation strategies.

Company Information