NEWMONT Corp /DE/ 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

NEWMONT Corp /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:51:31 EST.

Filings

10-K filed on 2024-02-29

NEWMONT Corp /DE/ filed an 10-K at 2024-02-29 07:51:31 EST
Accession Number: 0001164727-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We rely upon technology and information systems to support our mining and business operations globally. These systems may be susceptible to cybersecurity risks including, but not limited to, external attackers, malware, viruses, and unauthorized access to our IT systems. We continuously invest and develop our cybersecurity controls and processes to address these threats and reduce the risk of future breaches and cyber attacks. Risk associated with a cybersecurity incident, impacting our operations, has been integrated into our overall global risk management system and process. Foundationally, we seek to manage cyber risk through a structure of controls that includes cybersecurity standards, policies and cyber solutions that protect the availability, integrity, and confidentiality of our critical IT and mining systems. We monitor for emergent cyber threats and assess any actions required to reduce those risks. Our cybersecurity program is aligned to globally recognized security frameworks including the Mitre Att&ck Framework, NIST and ISO27001. We are currently certified compliant against ISO27001 and engage a certified audit firm to conduct annual control testing and reaffirm our certification. We further test our cybersecurity controls by engaging leading third-party cybersecurity service providers to perform external and internal penetration tests of critical business applications and mining system. Additionally, we review and tabletop test our incident response plan. We leverage continuous monitoring of our internet facing presence, as well as, known internet based criminal communities for mentions of Newmont, our executives, and employees. Our Security Operations Center (“SOC”) continuously monitors for security events and threats, responding and escalating when appropriate. We also hold employee trainings on privacy and current cybersecurity topics, conduct phishing tests and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population. Newmont requires third parties that supply IT services, have access to Newmont systems, or manage Newmont data to adhere to established Newmont security policies. Additionally, Newmont requires that such third parties are required to provide detailed information on their established security controls via our third party risk assessment process. The third party risk assessment informs our contracting process. Specific certification may be required of critical third party IT service providers and partners. All third party workers are bound by our Acceptable Technology Use standard which governs appropriate IT systems access and usage. Our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, employee or vendor misconduct, and other external hazards could expose our information systems, and those of our vendors, to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business. Cybersecurity incidents may also cause disruption to mining operations; critical financial or reporting systems impairment; breach or integrity loss of Newmont proprietary or confidential data; or external reputational damage. The sophistication of cybersecurity threats, including through the use of artificial intelligence, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may become insufficient. In addition, new technology that could result in greater operational efficiency such as our use of artificial intelligence, fleet electrification, and autonomous vehicles may further expose our operations and computer systems to the risk of cybersecurity incidents. Newmont did not identify any cybersecurity incidents during the year ended December 31, 2023 that have materially affected or are reasonably likely to materially affect Newmont’s business strategy, results of operations, or financial condition. Additional information about cybersecurity risks we face is discussed in Item 1A, Risk Factors if this report under the heading " We are dependent upon information technology and operational technology systems, which are subject to disruption, damage, failure and risks associated with implementation, upgrade, operation and integration " which should be read in conjunction with the information above. Governance As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Audit Committee, comprised of independent directors from our Board, oversees the responsibilities relating to the operational (including information technology (IT) risks and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through quarterly reports from our cybersecurity leadership and it reports any material findings and recommendations to the full Board for consideration. Our Cybersecurity team, comprised of seasoned IT and cybersecurity members, has decades of experience across multiple technical and compliance disciplines including cyber incident response, forensics, IT compliance, incident recovery, threat investigation and information technology. Our cybersecurity team includes several individuals who hold industry recognized certifications and advanced degrees in cybersecurity. Cybersecurity oversees the implementation and compliance of our information security standards, information technology compliance, and mitigation of information security related risks. The Chief Technology Officer (CTO) and Chief Information Officer (CIO) have direct oversight of the cybersecurity function. We also have management level committees, leaders, and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows: 48 Table of Contents The head of privacy, in conjunction with the cybersecurity leadership assists on identification and mitigation of privacy related risks across the enterprise. This combination brings together legal, compliance and other function leads as required. The Cybersecurity Disclosure Steering Committee, comprised of leadership from IT, cybersecurity, operations, risk, finance, legal and compliance across business segments, contributes to the assessment of cybersecurity breach, planned response, and required disclosures and filings. The Rapid Response Team, which includes senior executives across the Company and its global operations, is alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The Rapid Response Team performs tabletop exercises on a yearly basis with inclusion across functions. Each of these committees provides summary reports on their activities, which is then communicated as appropriate to the Audit Committee. 49 Table of Contents

Company Information