CNH Industrial Capital LLC 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

CNH Industrial Capital LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 14:01:32 EDT.

Filings

10-K filed on 2024-03-15

CNH Industrial Capital LLC filed an 10-K at 2024-03-15 14:01:32 EDT
Accession Number: 0001558370-24-003365

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We assess, identify and manage risks from cybersecurity threats through CNH s Information Technology Security and Compliance organization ( Cybersecurity Program ), which is part of CNH s larger enterprise risk management framework. The Cybersecurity Program is currently overseen by the Audit Committee of the Board of Directors for CNH (the CNH Audit Committee ) and is managed by CNH s Chief Information and Digital Officer (the CNH CIO ) and a dedicated CNH Chief Information Security Officer (the CNH CISO ). The CNH CISO has over 10 years of experience in cybersecurity and has held numerous positions in the cybersecurity sector, including serving as a Global Director of Information Security at another global high-tech manufacturing company. The CNH CISO’s organization has oversight of cybersecurity strategy, policy, standards, architecture and processes for the security of our enterprise network and, information assets. The CNH CISO s organization monitors and manages, and works to identify and assess, cybersecurity risk through various technologies, resources, processes and policies that are updated to align with the changing threat landscape, our evolving business needs and global regulatory requirements. Our strategy includes risk assessments, risk and threat analysis, utilization of security tools, cybersecurity-related tabletop and phishing exercises designed to simulate cybersecurity incidents, and security awareness and technical security trainings. We use a range of defenses to help protect against cybersecurity threats and to work to secure our assets, reduce detection time and improve recoverability. These include the ongoing monitoring of our systems, including with the assistance of third-party vendors, conducting exercises with employees and senior management, including our executive officers, to promote awareness and improve internal processes. In addition, to promote security awareness throughout the Company, employees with an email address received training and access to security awareness materials in 2023. Further, we are implementing a program for the assessment and monitoring of security standards and control procedures for external suppliers and vendors. Under the Cybersecurity Program, cybersecurity matters are generally managed by a combination of functional groups that report to CNHI s global leadership team, as appropriate, on matters such as enterprise level cybersecurity initiatives, threat intelligence and product cybersecurity risks and remediations. CNH s Board of Directors (the CNH Board ) addresses our cybersecurity risk management as part of its general oversight function. The CNH Audit Committee is responsible for overseeing our key risks and controls relating to information systems, including our assessment and mitigation of material risks from cybersecurity threats. The CNH Audit Committee receives periodic reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from the CNH CIO and the CNH CISO. In addition, on at least an annual basis, the CNH Board receives reports, summaries or presentations from the CNH CIO and the CNH CISO related to cybersecurity threats, risk, mitigation and related processes. The CNH CISO maintains and periodically updates a Cybersecurity Incident Response Plan which is a guide for how to respond effectively and efficiently to cybersecurity incidents in a coordinated manner in the interest of minimizing the risk of harm to our customers, operations, partners, employees and third parties, consistent with our legal obligations. As of the date of this report, we do not believe that risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, we recognize the ever-evolving cyber risk landscape and cannot provide any assurances that we will not be subject to a material cybersecurity incident in the future. For a description of risks related to our information technology systems, including cybersecurity threats, see Item 1A, Risk Factors. 17 Table of Contents

Company Information