PACKAGING CORP OF AMERICA - (PKG)
10-K Filing Date: February 29, 2024
Risk Management and Strategy
The Company maintains a cyber risk management program to prevent, detect and respond to information security threats. This program is supervised by a dedicated Chief Information Security Officer (CISO) whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The CISO manages the program in collaboration with the Company’s businesses and functions. To mitigate the risk of cybersecurity threats and data breaches we also have established policies and procedures, including a Cybersecurity & Data Breach Incident Response Policy and identified an Incident Response Team (IRT) with defined roles, responsibilities and means of communication. As part of our broader risk management and control framework we have implemented cybersecurity controls over the information technology and process control systems of the Company and of its third-party service providers. The Company engages third-party organizations to assess the controls around sensitive data, including but not limited to financial, employee, customer and vendor data as well as data affecting our process controls and data used to operate our manufacturing and converting facilities. We work with an independent assessor to conduct interim assessments and track ongoing efforts to continuously improve the Company’s cyber risk management program. The most recent assessment was completed at the end of 2022. In addition, the Company utilizes an independent audit firm to perform specific attack and penetration reviews on an annual basis. While we have experienced threats to our data and systems, as of December 31, 2023, we are not aware of any cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact, our operations or financial condition.
Board Roles and Responsibilities
The Audit Committee of the Board of Directors oversees the Company’s cyber risk management program. The Chief Information Officer (CIO) and the Vice President of Network Services present frequent updates to the Audit Committee and, as necessary, to the full Board of Directors. These regular reports include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. In addition, we have established processes to notify the Audit Committee of active incidents, as deemed necessary. The Company’s program is periodically evaluated by third-party experts, and the results of those reviews are reported to the Board of Directors.
Management Responsibilities
The Incident Response Team that we have established as part of our cyber risk management program coordinates the Company’s response to incidents and communicates with internal and external stakeholders. The team includes members of our Senior Leadership and draws upon additional staff, consultants, advisors and service providers as needed.
We are continuously focused on ensuring our Company is protected from potential cyber threats. Our Information Technology (IT) team is comprised of employees with a diverse mix of skills, backgrounds, perspectives, and relevant expertise, that undergo extensive training as part of their employment with the Company. We believe these measures together with our cyber risk management program as well as our policies, processes and procedures set a high benchmark for our employees to address and respond to cybersecurity threats.
Our IT team regularly monitors best practices and as needed, implements changes to the Company’s cyber risk management program to ensure a robust program is maintained. Aspects of this program include plans and procedures for identifying, communicating and containing security incidents, regular risk assessments and testing of the Company’s internal infrastructure to identify vulnerabilities, procedures for recovering from disruptions to our operations, maintaining global security policies, and comprehensive end user training and cybersecurity drills for personnel.
See “Part I, Item 1A. Risk Factors” of this Form 10-K for a discussion of cybersecurity risks.