SILGAN HOLDINGS INC - (SLGN)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY.
We are committed to protecting our critical information and data and information technology environment and defending against cybersecurity threats. We focus on relevant areas of cybersecurity risks and vulnerabilities and seek to mitigate such risks by maintaining secure environments, maintaining processes to identify cybersecurity threats and raising awareness of cybersecurity risks to our employees.
We utilize a comprehensive, multi-layered approach for our cybersecurity management which is generally aligned with the National Institute on Standards and Technology Cybersecurity Framework. We have a number of controls and procedures in place to recognize potential cybersecurity threats and potential incidents and elevate such potential incidents to senior management and our outside advisors to determine the materiality of such incidents. Automated tools and our third party security operation center provide alerts to our cybersecurity staff regarding potential threats. We also use an array of defenses to protect our cybersecurity environment and mitigate cybersecurity threats, including multi-factor authentication, access controls, email filtering, firewalls, intrusion prevention and detection systems, partitioning and encryption of information, backup and data recovery procedures, malware defenses, disaster recovery and incident plan responses, hardware and software updates and patching, and related programs. We regularly assess the efficacy of these defenses and mitigation measures and implement improvements, focusing on critical matters. To further promote a culture of cybersecurity awareness and defense, we also have regular educational and training sessions for our relevant employee population about the importance of cybersecurity and our key information more generally.
We regularly engage third parties and leverage their expertise to improve our cybersecurity environment and defenses against third party threats. Such third parties assist us in the assessment and testing of our cybersecurity environment and help us identify any potential gaps in our cybersecurity defenses. We also regularly discuss evolving cybersecurity threats with third parties and interface with software and hardware providers to manage our cybersecurity environment.
We have extensive incident response plans in place that provide a documented framework to, among other things, identify the critical steps to be taken for immediate rescue and recovery actions when a system disruption occurs. We also have comprehensive business continuity plans in place for disruptions, including a system disruption, that include recovery actions and alternate methods including manual work arounds that allow us to continue operating and shipping products. Our incident response plans and business continuity plans are regularly reviewed and updated, with a focus on continuous improvement.
While we have not had any cybersecurity incident that has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, future cybersecurity incidents or threats could have a material impact on our results of operations or financial condition as discussed in “Risk Factors”—“ Increased Information Technology Security Threats and More Sophisticated and Targeted Computer Crime Could Pose a Risk to Our Systems, Networks, Products, Solutions and Services.”
Our Board of Directors is responsible for risk oversight for the Company, which includes cybersecurity. Our Board of Directors risk oversight process, including for cybersecurity, builds upon management’s assessment of the Company’s risks and processes for managing and mitigating such risks. Our senior management presents a report to our Board of Directors at each of its quarterly regular meetings regarding our cybersecurity environment, relevant cybersecurity projects, actions we are taking to address and mitigate cybersecurity risks and other relevant cybersecurity related topics applicable to us. During such presentations and other discussions regarding risks, senior management reviews cybersecurity risks with our Board of Directors.
In support of such oversight process of our Board of Directors, our management maintains robust cybersecurity management processes. Our cybersecurity function is led by our Executive Vice President, Corporate Development and Administration and our Vice President of our Business Technology Group. Our Vice President of our Business Technology Group has been with us for over 35 years in various roles related to information technology, cybersecurity and support of our business and enterprise systems. He has over 38 years of direct experience in multiple roles related to information technology and cybersecurity and a deep understanding of how information technology data and specialized software and hardware relates to our business operations. Our Vice President of our Business Technology Group also has significant experience in identifying third party cybersecurity risks and integrating acquired companies into our cybersecurity environment.
We have a Cybersecurity Governance Committee, consisting of our Chief Executive Officer, our Executive Vice President, Corporate Development and Administration, our Executive Vice President, General Counsel and
26
Secretary, our Senior Vice President and Chief Financial Officer, our Senior Vice President, Corporate Development (formerly the Chief Financial Officer for our U.S. metal container operations), our Vice President of our Business Technology Group and the IT Director for one of our businesses. Our Cybersecurity Governance Committee meets multiple times per quarter to address cybersecurity risks and threats, our responses to such risks and threats, the results of cybersecurity tests and controls and the impact of completed and planned projects to support our cybersecurity environment. We also maintain a cybersecurity working committee among our businesses that is comprised of our Vice President of our Business Technology Group, the IT Directors of our businesses and other key members of our Business Technology Group. The cybersecurity working committee meets at least monthly with a primary focus on goals and improvements to our cybersecurity management processes, and members of our management and of the management of our businesses are invited to attend.