CENTURY ALUMINUM CO 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

CENTURY ALUMINUM CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:04:07 EDT.

Filings

10-K filed on 2024-03-15

CENTURY ALUMINUM CO filed an 10-K at 2024-03-15 16:04:07 EDT
Accession Number: 0000949157-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Century recognizes the importance of developing, implementing, and maintaining appropriate cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. The Board is actively involved in oversight of Century s risk management program, and cybersecurity represents an important component of Century s overall approach to enterprise risk management ( ERM ). Century s cybersecurity policies, standards, processes and practices are based on recognized security frameworks and applicable industry standards. In general, Century seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that Century generates, collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. As one of the critical elements of the Company s overall ERM approach, the Company s cybersecurity program is focused on the following key areas: Governance: As discussed in more detail under the heading Governance, the Board s oversight of cybersecurity risk management is supported by the Company s Chief Information Officer, other members of Management and a dedicated Cybersecurity team. Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, logical access controls, and endpoint protection, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that address the Company s response to a cybersecurity incident, and such plans are regularly evaluated and updated. 24 Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Network Penetration Testing: The Company performs an internal and external network penetration test led by its Internal Audit team and addresses any findings in a timely manner. Risks from Cybersecurity Threats On February 16, 2022, we became aware of a cybersecurity intrusion that caused a network disruption and impacted certain of our systems. Upon detection, we took steps to address the incident, including engaging both internal resources and a team of third-party experts to investigate and respond to this intrusion. While the February 2022 cybersecurity intrusion did not materially and adversely affect our results of operations, such events have the potential to have a material adverse affect on our business strategy, results of operations and financial condition, including by damaging or interrupting access to our information systems or networks, compromising confidential or otherwise protected information, destroying or corrupting data, or otherwise disrupting our operations. Such events could also damage our reputation and our competitive position and could result in litigation with third parties, regulatory action, loss of business, potential liability and increased remediation costs, any of which could have a material adverse effect on our financial condition and results of operations. Such security breaches could also result in a violation of applicable U.S. and international privacy and other laws and could have a material adverse effect on our business, results of operations and financial position. See Risk Factors - Risks Related to Cybersecurity - The failure of our information technology systems, network disruptions, cyber-attacks or other breaches in data security could have a material adverse effect on our business, results of operations and financial position. Governance Board of Directors Oversight The Board as a whole also oversees the Company s cybersecurity risks. Our Chief Information Officer updates the Board periodically regarding the actions management is taking to mitigate the Company s cybersecurity risks and enhance the Company s cybersecurity protection. Management routinely evaluates the Company s existing security processes, procedures and systems in order to determine whether additional enhancements are needed to further reduce the likelihood and impact of a future cybersecurity event. Some of the Company s current safeguards include multi-factor authentication for remote access to systems performing email phishing test campaigns email spam filtering restricted internet firewall rules limiting memory stick and external hard drive use requiring timely application of security and software patches on servers antivirus endpoint protection upgrades performing 24-hour/7-day a week network monitoring and improving our backup and recovery strategy, among others. Management s Role Managing Risk The Chief Information Officer, as well as other members of Management, plays a pivotal role in informing the Board on cybersecurity risks by providing comprehensive briefings to the Board on a regular basis. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies Overall security posture and layers of defense Incident reports and learnings from any cybersecurity events and Compliance with regulatory requirements and industry standards. In addition to regularly scheduled meetings, the Board and the Chief Information Officer maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board s oversight is proactive and responsive. The Board actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. The Board conducts an annual 25 review of the company s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Chief Information Officer. The Chief Information Officer extensive experience working in and leading the Company’s information systems. In addition, a dedicated Cybersecurity team, including the Chief Technology Officer and Cybersecurity Manager, provide regular updates to the Chief Information Officer. Monitor Cybersecurity Incidents The Chief Information Officer is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Chief Information Officer implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CIO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to Board of Directors The Chief Information Officer, in his capacity, regularly informs the Chief Financial Officer (CFO) and Chief Executive Officer (CEO) of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

Company Information