PACKAGING CORP OF AMERICA 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

PACKAGING CORP OF AMERICA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 12:14:45 EST.

Filings

10-K filed on 2024-02-29

PACKAGING CORP OF AMERICA filed an 10-K at 2024-02-29 12:14:45 EST
Accession Number: 0000950170-24-022794

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity of this Form 10-K. Environmental Matters PCA may incur significant environmental liabilities with respect to both past and future operations. We are subject to, and must comply with, a variety of federal, state and local environmental laws, particularly those relating to air and water quality, waste disposal and the cleanup of contaminated soil and groundwater. Failure to comply with these regulations could result in fines, which may be significant, or other adverse regulatory action. Because environmental regulations are constantly evolving, we have incurred, and will continue to incur, costs to maintain compliance with those laws. See Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations - Environmental Matters for estimates of expenditures we expect to make for environmental compliance in the next few years. New and more stringent environmental regulations may be adopted and may require us to incur additional operating expenses and/or significant additional capital expenditures to modify or replace certain of our boilers and other equipment. For example, the EPA recently enacted more stringent particulate matter emissions standards, which may make it more difficult to obtain or maintain air permits and more difficult and expensive to comply with the limitations set forth in our permits. We are assessing the impact of these new standards on our business and operations. In addition, environmental regulations may increase the cost of our raw materials and purchased energy. Although we have established reserves to provide for known environmental liabilities, these reserves may change over time due to the enactment of new environmental laws or regulations or changes in existing laws or regulations, which might require additional significant environmental expenditures. Labor Relations If we experience strikes or other work stoppages, our business will be harmed. Our workforce is highly unionized and operates under various collective bargaining agreements. We must negotiate to renew or extend any union contracts that have recently expired or are expiring in the near future. While we believe that we have satisfactory labor relations, we may not be able to successfully negotiate new agreements without work stoppages or labor difficulties in the future or renegotiate them on favorable terms. If we are unable to successfully renegotiate the terms of any of these agreements, or if we experience any extended interruption of operations at any of our facilities as a result of strikes or other work stoppages, our business, results of operations and financial condition may be harmed. Financial Risks Inflation and Other General Cost Increases We may not be able to offset higher costs . We are subject to both contractual, inflationary, and other general cost increases, including with regard to our labor costs and purchases of raw materials and transportation services. General economic conditions have resulted in higher inflation, which has led to higher costs across our business. If we are unable to offset these cost increases by price increases, growth, and/or cost reductions in our operations, these inflationary and other general cost increases could have a material adverse effect on our operating cash flows, profitability, and liquidity. 14 In 2023, our total company costs including cost of sales (COS) and selling, general, and administrative expenses (SG&A) was $6.7 billion, and excluding non-cash costs (depreciation, depletion and amortization, pension and postretirement expense, and share-based compensation expense) was $6.1 billion. A 1% increase in COS and SG&A costs would increase costs by $67 million and cash costs by $61 million. Debt obligations Our debt service obligations may reduce our operating flexibility. At December 31, 2023, we had $2.9 billion of debt outstanding and a $323 million undrawn revolving credit facility, after deducting letters of credit. All debt is comprised of fixed-rate senior notes. We and our subsidiaries are not restricted from incurring, and may incur, additional indebtedness in the future. Our current borrowings, plus any future borrowings, may affect our ability to operate our business, including, without limitation: Result in significant cash requirements to make interest and maturity payments on our outstanding indebtedness; Increase our vulnerability to adverse changes in our business or industry conditions; Increase our vulnerability to increases in interest rates; Limit our ability to obtain additional financing for working capital, capital expenditures, general corporate, and other purposes; Limit our flexibility in planning for, or reacting to, changes in our business and our industry; and Limit our flexibility to make acquisitions. Further, if we cannot service our indebtedness, we may have to take actions to secure additional cash by selling assets, seeking additional equity or reducing investments, which may not be achievable on acceptable terms or at all. Pension Plans Our pension plans may require additional funding. We record a liability associated with our pensions equal to the excess of the benefit obligations over the fair value of the assets funding the plans. The actual required amounts and timing of future cash contributions will be sensitive to changes in the applicable discount rates and returns on plan assets and could also be impacted by future changes in the laws and regulations applicable to plan funding. Fluctuations in the market performance of our plan assets will affect our pension plan costs in future periods. Changes in assumptions regarding expected long-term rate of return on plan assets, our discount rate, expected compensation levels, or mortality will also increase or decrease pension costs. Market Price of our Common Stock - The market price of our common stock may be volatile, which could cause the value of the stock to decline. Securities markets worldwide periodically experience significant price declines and volume fluctuations due to macroeconomic factors and other factors beyond our control. This market volatility, as well as general economic, market, or political conditions, could reduce the market price of our common stock with little regard to our operating performance. In addition, our operating results could be below the expectations of public market analysts and investors, and in response, the market price of our common stock could decrease significantly. Item 1B. U NRESOLVED STAFF COMMENTS None. 15 Item 1C. CY BERSECURITY Risk Management and Strategy The Company maintains a cyber risk management program to prevent, detect and respond to information security threats. This program is supervised by a dedicated Chief Information Security Officer (CISO) whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The CISO manages the program in collaboration with the Company s businesses and functions. To mitigate the risk of cybersecurity threats and data breaches we also have established policies and procedures, including a Cybersecurity & Data Breach Incident Response Policy and identified an Incident Response Team (IRT) with defined roles, responsibilities and means of communication. As part of our broader risk management and control framework we have implemented cybersecurity controls over the information technology and process control systems of the Company and of its third-party service providers. The Company engages third-party organizations to assess the controls around sensitive data, including but not limited to financial, employee, customer and vendor data as well as data affecting our process controls and data used to operate our manufacturing and converting facilities. We work with an independent assessor to conduct interim assessments and track ongoing efforts to continuously improve the Company s cyber risk management program. The most recent assessment was completed at the end of 2022. In addition, the Company utilizes an independent audit firm to perform specific attack and penetration reviews on an annual basis. While we have experienced threats to our data and systems, as of December 31, 2023, we are not aware of any cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact, our operations or financial condition. Board Roles and Responsibilities The Audit Committee of the Board of Directors oversees the Company s cyber risk management program. The Chief Information Officer (CIO) and the Vice President of Network Services present frequent updates to the Audit Committee and, as necessary, to the full Board of Directors. These regular reports include detailed updates on the Company s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. In addition, we have established processes to notify the Audit Committee of active incidents, as deemed necessary. The Company s program is periodically evaluated by third-party experts, and the results of those reviews are reported to the Board of Directors. Management Responsibilities The Incident Response Team that we have established as part of our cyber risk management program coordinates the Company s response to incidents and communicates with internal and external stakeholders. The team includes members of our Senior Leadership and draws upon additional staff, consultants, advisors and service providers as needed. We are continuously focused on ensuring our Company is protected from potential cyber threats. Our Information Technology (IT) team is comprised of employees with a diverse mix of skills, backgrounds, perspectives, and relevant expertise, that undergo extensive training as part of their employment with the Company. We believe these measures together with our cyber risk management program as well as our policies, processes and procedures set a high benchmark for our employees to address and respond to cybersecurity threats. Our IT team regularly monitors best practices and as needed, implements changes to the Company s cyber risk management program to ensure a robust program is maintained. Aspects of this program include plans and procedures for identifying, communicating and containing security incidents, regular risk assessments and testing of the Company s internal infrastructure to identify vulnerabilities, procedures for recovering from disruptions to our operations, maintaining global security policies, and comprehensive end user training and cybersecurity drills for personnel. See Part I, Item 1A. Risk Factors of this Form 10-K for a discussion of cybersecurity risks.
Item 1C. CY BERSECURITY Risk Management and Strategy The Company maintains a cyber risk management program to prevent, detect and respond to information security threats. This program is supervised by a dedicated Chief Information Security Officer (CISO) whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The CISO manages the program in collaboration with the Company s businesses and functions. To mitigate the risk of cybersecurity threats and data breaches we also have established policies and procedures, including a Cybersecurity & Data Breach Incident Response Policy and identified an Incident Response Team (IRT) with defined roles, responsibilities and means of communication. As part of our broader risk management and control framework we have implemented cybersecurity controls over the information technology and process control systems of the Company and of its third-party service providers. The Company engages third-party organizations to assess the controls around sensitive data, including but not limited to financial, employee, customer and vendor data as well as data affecting our process controls and data used to operate our manufacturing and converting facilities. We work with an independent assessor to conduct interim assessments and track ongoing efforts to continuously improve the Company s cyber risk management program. The most recent assessment was completed at the end of 2022. In addition, the Company utilizes an independent audit firm to perform specific attack and penetration reviews on an annual basis. While we have experienced threats to our data and systems, as of December 31, 2023, we are not aware of any cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact, our operations or financial condition. Board Roles and Responsibilities The Audit Committee of the Board of Directors oversees the Company s cyber risk management program. The Chief Information Officer (CIO) and the Vice President of Network Services present frequent updates to the Audit Committee and, as necessary, to the full Board of Directors. These regular reports include detailed updates on the Company s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. In addition, we have established processes to notify the Audit Committee of active incidents, as deemed necessary. The Company s program is periodically evaluated by third-party experts, and the results of those reviews are reported to the Board of Directors. Management Responsibilities The Incident Response Team that we have established as part of our cyber risk management program coordinates the Company s response to incidents and communicates with internal and external stakeholders. The team includes members of our Senior Leadership and draws upon additional staff, consultants, advisors and service providers as needed. We are continuously focused on ensuring our Company is protected from potential cyber threats. Our Information Technology (IT) team is comprised of employees with a diverse mix of skills, backgrounds, perspectives, and relevant expertise, that undergo extensive training as part of their employment with the Company. We believe these measures together with our cyber risk management program as well as our policies, processes and procedures set a high benchmark for our employees to address and respond to cybersecurity threats. Our IT team regularly monitors best practices and as needed, implements changes to the Company s cyber risk management program to ensure a robust program is maintained. Aspects of this program include plans and procedures for identifying, communicating and containing security incidents, regular risk assessments and testing of the Company s internal infrastructure to identify vulnerabilities, procedures for recovering from disruptions to our operations, maintaining global security policies, and comprehensive end user training and cybersecurity drills for personnel. See Part I, Item 1A. Risk Factors of this Form 10-K for a discussion of cybersecurity risks.

Company Information