PHINIA INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

PHINIA INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 15:10:19 EST.

Filings

10-K filed on 2024-02-28

PHINIA INC. filed an 10-K at 2024-02-28 15:10:19 EST
Accession Number: 0001968915-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our overall risk management system and processes, we assess, identify and manage material risks from cybersecurity threats through our Enterprise Risk Management (ERM) process. For a description of cybersecurity risks relevant to our business, see Item 1A, Risk Factors. The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, security and availability of the information we collect and store for use in operating our business; (iii) protecting the Company s intellectual property; (iv) maintaining the confidence of our customers, suppliers, other business partners and employees; and (v) providing appropriate disclosure of cybersecurity risks and incidents when required. Our cybersecurity and data protection policies, processes and strategies are informed by regulatory and business requirements, our prior experience addressing cybersecurity attacks and incidents (including with our former affiliates) and industry practices, and are periodically adjusted based on the results of assessments conducted through our ERM practices, third-party audits and independent reviews, and other processes. Consistent with the Company s ERM practices, our cybersecurity policies, processes and layers of defense focus on the following areas: Vigilance. The Company maintains 24/7 cybersecurity threat surveillance in conjunction with a managed security service that monitors system logs and network traffic for indicators of compromise and other suspicious activity, and conducts monthly external vulnerability assessments and annual penetration testing. System Safeguards. The Company deploys system safeguards that are designed to protect the Company s information systems from cybersecurity threats, including early detection and response antivirus tools, data leak prevention tools and systems, vulnerability scans of data centers, firewalls, and anti-malware functionality and access controls. Third-Party Collaboration. The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups, and third-party service providers, to identify, assess and respond to cybersecurity risks. Third-Party Risk Management. The Company has processes in place for identifying and overseeing cybersecurity risks presented by third-party users of the Company s systems, as well as third-party systems that could adversely impact our business in the event of a cybersecurity incident affecting those systems. Training. The Company requires personnel to complete training regarding cybersecurity threats and incident reporting procedures, which reinforces the Company s information security policies and processes. We also require new hires to complete training regarding cybersecurity threats and acceptable use of our information systems. Incident Response Planning. The Company has established and maintains a cybersecurity incident response plan that outlines an organized and timely approach for responding to and handling security incidents affecting the Company s systems or data, as well as taking appropriate action when the source of the intrusion or incident involved data from a third party. A key part of the Company s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company s policies and processes through audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity controls and oversight. Third-party audits and independent reviews of our cybersecurity measures, information security control environment and operating effectiveness are conducted on at least an annual basis to assist us with enhancing, implementing and monitoring our cybersecurity risk management programs. As a global company, we have experienced cybersecurity attacks and incidents in the past, and we could in the future experience similar attacks. To date, we have not experienced a cybersecurity incident or attack, or any risk from cybersecurity threats, that has materially affected or is reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. 26 Table of Contents Governance The Board, in coordination with the Audit Committee, oversees the Company s policies with respect to the assessment and management of risks from cybersecurity threats. The Board and Audit Committee receive regular updates regarding cybersecurity risks from the Company s Chief Information Security Officer (CISO) and Chief Information Officer (CIO), including with respect to the assessment and management of such risks and recent developments, trends and the general threat environment. The Company s cybersecurity team, which is led by our CISO, is responsible for overseeing the Company s cybersecurity and data security operations, programs, policies and processes and their general effectiveness. The cybersecurity team, in coordination with other Incident Response Team members, works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incident. The Company s Incident Response Team consists of our CISO and other senior leaders from the Company s cybersecurity (composed of information security and technology operations), compliance, legal, financial reporting and other key business and corporate functions. The CISO and other Incident Response Team members monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in accordance with the incident response plan. The team also informs and coordinates with the Company s Disclosure Committee in timely reporting such incidents, as appropriate and depending on the severity of the incident, to the Strategy Board (consisting of our CEO, Chief Financial Officer (CFO), General Counsel, CIO and other members of management), Audit Committee and Board, and providing updates regarding such incidents until addressed. We have experienced leaders responsible for assessing and managing risks arising from cybersecurity threats. Our CISO reports to the CIO and has served in various roles in information technology and information security for over 28 years, including most recently leading the Information Security Office of BorgWarner Inc. He holds a Bachelor of Science in Physics. The Company s CIO reports to our CEO and has served in various roles in information technology and information security for over 25 years, including most recently as CIO of Gentherm Incorporated. Our CIO holds a Bachelor of Science in Business, with a concentration in Computer Information Systems, and an MBA in Finance and Strategic Management. He is also a Digital Directors Network (DDN) Boardroom Certified Qualified Technology Expert (QTE). In addition, the Company s CEO, CFO and General Counsel each have experience overseeing the management of cybersecurity and other risks similar to those impacting the Company s business.

Company Information