SEALED AIR CORP/DE - (SEE)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Overview of Cybersecurity Risk Management
The Company maintains a cybersecurity program that is designed to identify, prevent, detect, respond to, and recover from cybersecurity threats, and protect the confidentiality, integrity, and availability of our information technology, including the information residing on such systems. The Company has a dedicated Chief Information Security Officer (CISO) with overall responsibility for developing and implementing the global cyber strategy, risk management, and operational initiatives. The Company leverages recognized cybersecurity frameworks to organize, improve, and assess its cybersecurity program and to manage and reduce cybersecurity risk. The global information security team, under the direction of the CISO, develops,
23


implements, and manages cybersecurity-related internal controls and risk processes for the Company, with internal controls consisting of a mix of administrative, technical, and physical controls.
We deploy, configure, and maintain numerous technologies to enforce security policies, detect and protect against cybersecurity threats, and help safeguard the Company’s information systems and assets. We operate a Security Operation Center (SOC) to monitor cybersecurity threats, coordinate incident response resources, and reduce response times. Our internal SOC team is augmented by a third-party managed security services provider. The Company maintains a cybersecurity incident response plan that provides a structured approach for the Company’s response to cybersecurity incidents. Under the plan, cybersecurity incidents are escalated based on a defined incident severity scale, including to the Board of Directors as appropriate. To improve preparedness for a cybersecurity incident, we conduct tabletop exercises multiple times throughout the year. These exercises are conducted by internal team members and in some instances with assistance from third-party experts. The Company’s cybersecurity program also includes regular cybersecurity trainings for staff. We actively evaluate the training effectiveness and adjust the trainings based on the evaluations.
The Company’s cybersecurity program is periodically reviewed and adjusted by the CISO's office so that it can remain flexible and responsive as circumstances evolve, new cybersecurity threats emerge, and regulations change.
Engagement of Third Parties
We engage third-party cybersecurity consultants and experts to supplement staffing of our SOC as well as to assess, validate, and enhance our security practices, including conducting cybersecurity maturity assessments, vulnerability assessments, and penetration tests. As part of the incident response process described above, we engage third-party experts as needed to support the incident response team, such as external legal advisors, cybersecurity forensic firms, and other specialists.
Third Party Service Provider Risk Management
Vendor risk assessment is part of the Company’s cybersecurity program, which facilitates management of third-party service providers’ IT-related risks. Third-party service providers that have access to the Company’s network, data and information are subject to a cybersecurity due diligence process and the corresponding security control requirements based on the nature of the engagement. The vendor risk assessment process is reviewed at least annually.
Risks from Material Cybersecurity Threats
Cybersecurity risk and the failure to maintain the integrity of our operational or security systems or infrastructure, or those of third parties with which we do business, could have a material adverse effect on our business, consolidated financial condition, results of operations, or cash flows. Refer to Part I, Item 1A, "Risk Factors," for more information on SEE’s risks relating to our technologies, systems, and networks.
Governance of Cybersecurity Risk Management
The Board of Directors has oversight responsibility for our risk management programs, including cybersecurity risk management. The Board of Directors has delegated the specific responsibility of cybersecurity risk oversight to the Audit Committee, although the Board remains actively involved in overseeing cybersecurity risk management, both through presentations given by management during Board meetings, as well as through regular reports from the Audit Committee on its cybersecurity risk oversight activities.
Our Chief Information Officer (CIO) and CISO provide cybersecurity updates to the Audit Committee three times each year and the Board at least annually. These updates cover various topics, including information relating to cybersecurity strategy, program management, and performance trends. In addition to this regular reporting, significant cybersecurity risks or threats may also be escalated on as needed basis to the Audit Committee and the Board of Directors.
The Company’s management team is responsible for the day-to-day assessment and management of cybersecurity risks. As mentioned above, a dedicated CISO leads the information security team and is responsible for the Company’s cybersecurity risk management and strategy. The CISO has an MBA from Northwestern University's Kellogg School of Business, a master's degree in electrical and computer engineering from the University of Alberta and more than 20 years of experience in information security and risk management with companies in various sectors. The CISO reports to the CIO, who is responsible for global IT strategy and IT operations across the enterprise. The CIO has a degree in computer science and mathematics from Wofford College and has over 30 years of experience in the IT industry, spanning various roles and sectors.
24


As part of its overall Enterprise Risk Management (ERM) program, the Company identifies and assesses cybersecurity risks on an annual basis. The ERM program includes identification, assessment and management of risks, including cybersecurity risks. Business process owners incorporate risk management philosophy, exposures, mitigating activities, and key indicators to develop strategies and actions. The ERM Steering Committee, comprised of senior level executives, is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation actions, and assisting the Board of Directors in overseeing the Company’s cybersecurity risks.
25


© 2024 Material-Incidents. All rights reserved.