Kyndryl Holdings, Inc. 10-K Cybersecurity GRC - 2025-05-30

Page last updated on June 2, 2025

Kyndryl Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-30 12:05:10 EDT.

Filings

10-K filed on 2025-05-30

Kyndryl Holdings, Inc. filed a 10-K at 2025-05-30 12:05:10 EDT
Accession Number: 0001558370-25-008282

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the critical importance of cybersecurity in upholding the safety and security of our systems, services and data and maintaining the trust of our customers. Cybersecurity risk management is an important part of, and is integrated into, the Company’s overall enterprise risk management program. We maintain a cybersecurity risk management program that is designed to identify, assess, manage and mitigate cybersecurity risks and provides a framework for responding to cybersecurity threats and incidents. We regularly assess and update our cybersecurity risk management program and our cybersecurity posture to protect the confidentiality, integrity and availability of the Company’s and our customers’ infrastructure, resources and information. We designed a multi-faceted risk-management approach based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and informed by other industry standards and industry-recognized practices to identify and address cybersecurity risks. Our key cybersecurity processes include the following: ● Risk-based, layered controls - We regularly assess and adjust our technical controls and methods to identify, respond to and mitigate emerging cybersecurity risks and use a layered approach with overlapping controls to defend against cybersecurity attacks and threats to our networks, end-user devices, infrastructure, applications, data and cloud solutions and the data that our customers entrust to us. ● Cybersecurity incident response plan and testing - We have a global incident response process and dedicated teams responsible for monitoring, detecting and responding to cybersecurity threats and attacks, whether external or internal, periodically testing our processes and protocols, and regularly communicating and providing reports to our CISO, Security & Resiliency global practice leader and senior executive leadership. ● Information sharing and collaboration - We utilize threat intelligence and security information collected from various sources, including but not limited to partners, suppliers, governments and information sharing and analysis centers, to identify, protect against, detect and respond to potential cybersecurity threats and events. ● Training and awareness - We use a combination of training and education, including mandatory annual cybersecurity and privacy training, phishing simulation exercises and a multitude of alerts, educational tools, videos and other ongoing awareness initiatives on a variety of topics relating to the rapidly evolving threat landscape, throughout the year that foster a culture of security awareness and responsibility among our workforce. ● Supplier risk assessments - Recognizing that our suppliers can be subject to cybersecurity incidents which may impact us and our customers, our procurement process includes security, data governance and privacy risk assessments to identify and evaluate risk associated with certain key suppliers, including reviewing relevant cybersecurity certifications and third-party audit results, assessing technical and organizational controls and evaluating their risk profile. We periodically engage third-party security consultants to conduct evaluations of our cybersecurity controls and procedures, including penetration testing , third-party audits, and reassessing best practices to address new challenges. These evaluations include testing the design and operational effectiveness of our cybersecurity controls and procedures. Our internal audit function conducts additional reviews and assessments of our cybersecurity controls and procedures and reports to the Audit Committee and the Board of Directors as appropriate. We use the findings from these efforts to improve our practices, procedures and technologies. Cybersecurity Risk Oversight and Governance Our Board of Directors is responsible for the overall oversight of our enterprise risk management. The Audit Committee periodically reviews the Company’s enterprise risk management framework, including enterprise risk management processes, and assists the Board of Directors in its oversight over certain key areas of risks, including overseeing cybersecurity, data governance and privacy risk and regularly reporting on such matters to the Board. The Audit Committee and full Board of Directors receive periodic updates from our CISO about Kyndryl’s cybersecurity policies and practices, cybersecurity developments, trends, risks, notable incidents, mitigation strategies, maturity initiatives and other developments throughout the year, as well as periodic updates from our CIO, Security & Resiliency global practice leader and other senior leaders on cybersecurity-related matters. Our information security program is led by our CISO, who is responsible for the overall security of the enterprise, and our Security & Resiliency global practice leader, who is responsible for the security of the services that we provide to customers. Our CISO and Security & Resiliency global practice leader collaborate closely with one another and other key stakeholders across the Company in developing and implementing our cybersecurity strategy, policy, controls, operations, threat detection and incident response and remediation. Our teams that support the CISO and Security & Resiliency global practice leader in these efforts are comprised of cybersecurity professionals with many years of experience in cybersecurity across multiple sectors, including heavily regulated industries such as financial services and defense, and many of them hold relevant industry certifications. Under our global incident response process, cybersecurity incidents are assessed and classified by severity, and significant incidents are escalated as appropriate to senior executive leadership. In addition, we have a process to promptly notify the Board of Directors, as appropriate, in the event of any cybersecurity incident impacting the Company that may be material. Based on the information we have as of the date of this Form 10-K, we do not believe that any cybersecurity incident experienced by the Company has materially affected or is reasonably likely to materially affect Kyndryl, including our business strategy, results of operations or financial condition. For additional information about cybersecurity risks, s ee Item 1A. “Risk Factors.”

Company Information