EASTMAN KODAK CO - (KODK)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY

 

Risk Management and Strategy

 

Kodak has implemented various processes designed to assess, identify and manage risk from cybersecurity threats. Kodak's cybersecurity program follows the structure and objectives of the U.S. National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and is designed to satisfy multi-jurisdictional regulatory requirements. Key areas of Kodak's cybersecurity risk management processes and strategy currently include:

 

 

Cross-Functional Collaboration and Coordination. Our information technology (“IT”) security operations and risk management team (“IT Security Team”), led by our Chief Information Security Officer (“CISO”), has first line responsibility for the implementation and operation of our cybersecurity risk management processes. However, this team works together with other internal teams to coordinate efforts, priorities and oversight. These include:

 

o

our IT Risk Council (the “Council”), which is comprised of key leaders from stakeholder groups throughout the Company and led by our CISO and meets monthly to review metrics and discuss risks and recent events;

 

o

our Risk Management and Compliance Committee (the “Risk Committee”), which is responsible for evaluating and assessing overall enterprise risk, including cybersecurity risk;

 

o

our Internal Audit Department, which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment;

 

o

our Chief Privacy Officer; and

 

o

our crisis management team, a cross-functional team of senior management and subject matter experts from across the Company established to be ready to respond to crisis events, including those arising from cybersecurity incidents.

 

 

Ongoing Evaluation and Assessment of Systems and Processes. We routinely evaluate our IT systems and infrastructure, including with respect to system security, and regularly implement upgrades to improve system functionality and performance as well as to enhance security. Security controls are routinely assessed by our annual general controls audit and other audits and assessments as well as a thorough assessment performed during the annual cyber insurance application process. In addition to periodic in-depth evaluations of our systems and processes, we monitor our IT systems and processes on an ongoing basis with the goal of identifying and remediating real and potential threats as they arise.

 

 

Security Awareness Program to Train and Test Personnel. We operate a security awareness program that includes regular, mandatory trainings for relevant personnel on data protection and malware detection, policy and process awareness, periodic phishing simulations and other kinds of preparedness testing.

 

 

Incident Response Process and Team. We maintain an incident response process with defined roles, responsibilities and reporting protocols. This process focuses on responding to and recovering from any significant breach as well as mitigating any impact to our business. Generally, when a breach or suspected breach is identified, the IT Security Team would escalate the issue to the Council for initial analysis and guidance. In the event of a serious IT incident, the crisis management team would be notified and the incident response team would typically be tasked with preparing an initial response. The incident response team, in consultation with others regarding impact and materiality, would be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any reporting or notification responsibilities.

 

27

 

 

Regular Evaluation of Initiatives, Results and Priorities. The IT Security Team, in consultation with the Council and other members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments, and further developments in the cybersecurity threat landscape. In addition, we periodically engage a third-party provider to conduct an external assessment of our security program. The results of this assessment, which are reported to the Audit and Finance Committee (and the Board, as appropriate), assist us in determining whether any further changes to our existing policies and practices are warranted.

 

We expect that our cybersecurity risk management processes and strategy will continue to evolve as the cybersecurity threat landscape evolves.

 

We engage third-party providers to assist us with our cybersecurity risk management and strategy. Examples of services provided by these third-party providers include threat monitoring, incident response support, testing, mitigation strategies, updates on emerging trends and developments and policy guidance. Prior to exchanging any sensitive data or integrating with any key third-party provider, we assess their security fitness against our risk posture and request changes as we deem necessary. Security controls are imposed through comprehensive standard terms and conditions that include privacy and incident reporting requirements, and third parties are periodically re-evaluated for security risk.

 

As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected the Company, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the heading, “Risks Related to Kodak’s Business and Operations—Cyber-attacks or other data security incidents that disrupt Kodak’s operations or result in the breach or other compromise of proprietary of confidential information about our workforce, our customers, or other third parties could disrupt our business, harm our reputation, cause us to lose customers, and expose us to costly regulatory enforcement and litigation, any of which could lead to material adverse effects on Kodak’s results of operations, business and financial condition” in this Form 10-K.

 

  Governance

 

Consistent with our overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while our Board and its Audit and Finance Committee perform an oversight function.

 

Board Oversight. Our Board has delegated to its Audit and Finance Committee the responsibility for overseeing cybersecurity risk exposures in addition to our broader risk management program. Management (including our Chief Information Officer (“CIO”) and our CISO) reports at least annually to the Audit and Finance Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives intended to bolster our security systems and the cyber readiness of our personnel.

 

Managements Role. Our IT Security Team addresses and responds to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. The team oversees compliance with our cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The IT Security Team also assists with the review and approval of policies, completes benchmarking against applicable standards, and oversees the security awareness program.

 

Our IT Security team is led by our CISO. Our CISO reports to our CIO who, in turn, reports to our Executive Chairman and Chief Executive Officer. Our CISO has 40 years of IT experience, with over 20 of those focused on IT security functions and strategies. Collectively, the other members of our IT Security Team have decades of relevant education and experience and maintain a wide range of industry certifications. We provide cybersecurity training for our IT Security Team upon joining the IT Security Team, on an annual basis and more frequently when necessary.

 

As noted previously, our CISO is a member of the Council, which meets monthly to provide operational direction to the IT Security Team considering the evolving risk landscape. The IT Security Team and the Council, through ongoing communication, monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO or CIO, in consultation with the Council and other members of senior management, reports such threats and incidents to the Audit and Finance Committee, as appropriate. These reports may be included in, or in addition to, the regular annual reports to the Audit and Finance Committee.

 

28