Novelis Inc. 10-K Cybersecurity GRC - 2024-05-06

Page last updated on May 6, 2024

Novelis Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-06 12:04:08 EDT.

Filings

10-K filed on 2024-05-06

Novelis Inc. filed an 10-K at 2024-05-06 12:04:08 EDT
Accession Number: 0001304280-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy As with most companies, we rely heavily on our information technology networks and systems for all aspects of our business and operations. At the same time, information technology networks and systems (our own as well as those managed by third parties) are susceptible to various vulnerabilities, including, without limitation, computer viruses, cyber-attacks, ransomware attacks, malware attacks, attacks by foreign governments and state-sponsored actors, and misconduct by employees or other insiders. Specifically with respect to cyber, ransomware, and similar attacks, the occurrence of any significant event could compromise our networks and result in unauthorized access, destruction, theft and/or public disclosure of our information. Any such access, disclosure, or other loss of information could result in legal claims or proceedings, liability, or regulatory penalties under privacy laws. In addition, we could incur significant costs in notifying affected persons and entities and otherwise complying with the multitude of foreign, federal, state and local laws and regulations relating to the unauthorized access to, or use or disclosure of, personal, customer and product information, as well as significant costs to remediate, fix, or address any network and system issues that led to such vulnerability. Accordingly, we recognize the importance of maintaining an integrated cybersecurity risk management system and view our responsibility for cybersecurity management as an enterprise risk, and we have therefore adopted proactive and defensive safeguard, which are integrated into our overall ERM program. We maintain layered processes that place responsibility for management and mitigation of cybersecurity risks at both the management and Board level, as more fully described below under “Cybersecurity Governance.” 34 Separately, we also face cybersecurity threats related to third-party service providers and vendors. A significant cyber, ransomware or similar attack affecting or impacting one of our third-party providers or vendors could also render our networks and systems vulnerable and result in similar consequences as described above for direct attacks on our networks and systems. We maintain policies, standards, and processes to oversee, identify, and mitigate risks from cybersecurity threats related to third-party service providers and vendors, including conducting security assessments of critical third-party service providers and vendors before onboarding, periodic reassessment, and vendor offboarding. We also conduct security training and maintain monitoring to oversee evolving cybersecurity risks. We generally include information security requirements in our agreements with third-party service providers and vendors to address cybersecurity risks, including obligations on our third-party service providers and vendors to notify and cooperate with us in the event of cybersecurity event that implicates or involves our data. During the periods covered by this Annual Report on Form 10-K, we have not experienced a data breach or system disruption, including a cyber-attack, that has had a material effect on our operations, financial conditions or results of operations. However, we continue to face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. For information on risks we face from cybersecurity threats, see “Risks Related to Cybersecurity and Data Privacy Security breaches and other disruptions to our information technology networks and systems could interfere with our operations, and could compromise the confidentiality of our proprietary information” in Item 1A. Risk Factors of this Annual Report on Form 10-K. Cybersecurity Governance Management Level Governance Our cybersecurity efforts are led by our Chief Information and Digital Officer (the “CIO”) and Chief Information Security Officer (the “CISO”). The CISO has primary management-level responsibility for assessing and managing our cybersecurity and defense program, with the CISO directly overseeing a team that is responsible for our day-to-day cybersecurity and cyber defense program. The team focuses on key areas of cybersecurity, including governance, risk management, engineering, architecture and operations. The CISO in turn reports to the CIO, who provides regular updates and feedback to other members of the management team on managing material risks from cybersecurity threats. Our CIO and CISO have combined over 50 years of experience in the field of cybersecurity and cyber defense. More specifically, their collective expertise and experiences span across multiple industries and various aspects of information technology network and systems, including those that relate specifically to cybersecurity, such as: developing and executing cybersecurity monitoring, defense programs and strategies product security, privacy controls, data protection, and identity management security operations, incident response, threat hunting and coordinating with legal response teams at numerous companies in connection with cybersecurity matters. Our CISO oversees our governance programs, testing of our compliance with industry standards, risk assessment for risk remediation, and our employee training program on information security. He is also responsible for keeping Novelis apprised of developments in cybersecurity, including potential threats and risk management techniques. We believe this ongoing knowledge acquisition is an important part of our efforts for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CISO implements and oversees processes for the monitoring of our information systems. This includes the deployment of advanced security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, our CISO and cybersecurity team rely on our cyber incident response plan, which we review, test, and revise, as appropriate, from time to time. Depending on the severity level of an incident, our CISO, working together with other members of our core cyber security response team, implement a series of immediate actions designed to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Our CISO and cybersecurity team consult with and keep apprised our CIO, as well as, when appropriate, key members of our executive management in the event of a cybersecurity incident that rises to a certain level. Our CISO hosts a monthly Cybersecurity Council with a standing agenda to share and update management plus key IT stakeholders on threats and incidents within the company, strategic updates and progress, business engagement, and operational metrics. Our CISO shares and provides updates on latest cybersecurity threats and risks with our ERM team every quarter. Board Level Governance Our Board, together with assistance and input from the Audit Committee, has primary board-level responsibility for oversight of our cybersecurity and data protection risks. Our Audit Committee chairman, as well as the other members of the Audit Committee from time to time, receive regular, informal updates from our CIO regarding the primary cybersecurity risks facing Novelis, and the steps management is taking to mitigate such risks. The CISO and the CIO also provide more formal briefings to the Audit Committee, generally at least once per year. Upon request from the Board, or if we determine to be appropriate, we may from time to time provide such briefings to the entire Board rather than the Audit Committee. These formal briefings generally include, among other items: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies 35 Incident reports and learnings from any cybersecurity incidents, if applicable and Compliance with the National Institute of Standards and Technology’s Cybersecurity Framework. Outside of such regular briefings, the Board and/or the Audit Committee are notified of cybersecurity incidents as we determine to be appropriate. Third Party Engagement Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors, to periodically evaluate and test our risk management systems, identify any vulnerability in our systems, and, if appropriate, to recommend and implement solutions to upgrade the security of our systems. These partnerships enable us to leverage specialized knowledge experience and insights in understanding and addressing cybersecurity threats, and approaches to address such threats.

Company Information