CROWN HOLDINGS, INC. - (CCK)
10-K Filing Date: February 27, 2024
ITEM 1C.CYBERSECURITY
Risk Management & Strategy
Cybersecurity is integrated into the Company’s overall risk management program. The Company has established a cyber risk management program that identifies and manages risks to our information assets that could be affected by a cyberattack. The Company leverages both internal and external threat detection and response capabilities, combined with a people-centric approach to employee awareness and engagement. The Company considers risks related to people, processes, and technology including those associated with our third-party service providers and allocates resources to maintain and enhance our cybersecurity measures.
The Company engages external third-party security assessment vendors, both on a recurring basis and as needed, to perform realistic adversarial threat attacks (penetration testing) on our internal and external environments leveraging the International Organization for Standardization (ISO) cybersecurity frameworks. These third-party experts provide impartial, objective, and strategic evaluations of our cybersecurity posture, identifying critical vulnerabilities and recommending improvements.
Although, through the date of this filing, we are not aware of any cybersecurity incidents that have materially impacted the Company, we cannot eliminate all risks from cybersecurity threats. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance
Company senior leadership has top-level responsibility for management of information security risk. The Company has established a dedicated, globally focused cybersecurity team led by its Chief Information Security Officer (CISO), who brings over 20 years of experience in the field of cybersecurity and IT operations. The CISO is responsible for overseeing the entire global cybersecurity program, which encompasses cyber risk management, operations, strategic planning, and compliance with cybersecurity policies and regulations. Crown's cybersecurity team maintains collaboration with other cross functional teams to assess and manage cybersecurity risks. This approach enables the Company to align cybersecurity efforts with broader business objectives and respond to emerging threats. Additionally, Crown’s Board of Directors, along with the Crown Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and General Counsel oversee the identification, assessment, and management of cybersecurity risks.
In case of a cyber incident with significant or material impact, the CISO would escalate to senior leadership and depending upon the severity and scope of any cyber incident, the Company will invoke its Corporate Crisis management plan.
On a regular reporting schedule, the CISO provides updates on cybersecurity risk and mitigation efforts to senior leadership, board, and members of the Audit Committee. The Audit Committee, which is tasked with oversight of certain risk issues, including information security risk, receives two to four reports annually from the Company’s senior leadership, including the CISO, that includes an information security dashboard and discussion of emerging risks and trends. The Audit Committee then briefs the Board on these matters.
21
Crown Holdings, Inc.