CNH Industrial N.V. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

CNH Industrial N.V. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 13:52:01 EST.

Filings

10-K filed on 2024-02-29

CNH Industrial N.V. filed an 10-K at 2024-02-29 13:52:01 EST
Accession Number: 0001628280-24-007899

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We assess, identify and manage risks from cybersecurity threats through our Information Technology Security and Compliance organization ( Cybersecurity Program ), which is part of our larger enterprise risk management framework. The Cybersecurity Program is currently overseen by the Audit Committee of the Board of Directors (the “Audit Committee”) and is managed by our Chief Information and Digital Officer ( CIO ) and a dedicated Chief Information Security Officer ( CISO ). Our current CISO has over 10 years of experience in cybersecurity and has held numerous positions in the cybersecurity sector, including serving as a Global Director of Information Security at another global high-tech manufacturing company. The CISO’s organization has oversight of cybersecurity strategy, policy, standards, architecture and processes for the security of our enterprise network and, information assets. The CISO s organization monitors and manages, and works to identify and assess, cybersecurity risk through various technologies, resources, processes and policies that are updated to align with the changing threat landscape, our evolving business needs and global regulatory requirements. Our strategy includes risk assessments, risk and threat analysis, utilization of security tools, cybersecurity-related tabletop and phishing exercises designed to simulate cybersecurity incidents, and security awareness and technical security trainings. We use a range of defenses to help protect against cybersecurity threats and to work to secure our assets, reduce detection time and improve recoverability These include the ongoing monitoring of our systems, including with the assistance of third party vendors, conducting exercises with employees and senior management, including our executive officers, to promote awareness and improve internal processes. In addition, to promote security awareness throughout the Company, employees with an email address received training and access to security awareness materials in 2023. Further, we are implementing a program for the assessment and monitoring of security standards and control procedures for external suppliers and vendors. Under the Cybersecurity Program, cybersecurity matters are generally managed by a combination of functional groups that report to the Company s global leadership team, as appropriate, on matters such as enterprise level cybersecurity initiatives, threat intelligence and product cybersecurity risks and remediations. Our Board of Directors (the “Board”) addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for overseeing our key risks and controls relating to information systems, including our assessment and mitigation of material risks from cybersecurity threats. The Audit Committee receives periodic reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from the Chief Information and Digital Officer and CISO. In addition, on at least an annual basis, the Board receives reports, summaries or presentations from our Chief Information and Digital Officer and CISO related to cybersecurity threats, risk, mitigation and related processes. The CISO maintains and periodically updates a Cybersecurity Incident Response Plan which is a guide for to respond effectively and efficiently to cybersecurity incidents in a coordinated manner in the interest of minimizing the risk of harm to our customers, operations, partners, employees and third parties, consistent with our legal obligations. As of the date of this report, we do not believe 28 that risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, we recognize the ever-evolving cyber risk landscape and cannot provide any assurances that we will not be subject to a material cybersecurity incident in the future. For a description of risks related to our information technology systems, including cybersecurity threats, see Item 1A, “Risk Factors.”

Company Information