CANADIAN PACIFIC KANSAS CITY LTD/CN - (CP)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management
CPKC’s cybersecurity risk management program is an integrated and essential component of the Company’s overall risk management strategy. Through its Security Management Plan, CPKC maintains a comprehensive, risk-based plan that is modelled on and was developed in conjunction with the security plan prepared by the Association of American Railroads post-September 11, 2001. This plan also covers regulatory requirements such as TSA Cyber Security Directives and auditing requirements. Under this plan, the Company routinely examines and prioritizes cyber vulnerabilities and threats while also testing and revising protective measures for its assets and operations, both physical or cyber. Likewise, the Company’s cybersecurity risk management program entails real-time review and monitoring of CPKC’s cyber-risk exposures and implements strategic processes to manage those risks.

The Company's cybersecurity program utilizes the National Institute of Standards and Technology Cybersecurity Framework as its foundation. Accordingly, CPKC’s program includes periodic risk assessments, penetration testing by a third-party, audit participation, employee and contractor training, and the implementation of technologies to assist in mitigating cybersecurity risks and harms. Incident response procedures, including escalation procedures, are designed, implemented, and periodically tested to assist the Company in detecting, responding to, and recovering from a potential cybersecurity incident, and making any timely notification or disclosure that may be required under the circumstances. The Company scopes the third-party penetration tests as real-world attacks against perimeter defenses and internal processes such as social engineering and phishing.

The Company's cybersecurity risk management program also includes ongoing threat research and analysis conducted with the assistance of third parties, including on emerging threat attack vectors, tactics, actors and motivations. The Company also engages in ongoing network monitoring and has implemented a vulnerability management and patching program. Further, CPKC employs structured vetting and ongoing risk management processes to identify and mitigate cyber risks associated with the use of third-party service providers, including specifically in the area of technology.

To date, risks arising from cybersecurity threats have not materially affected the Company, its results of its operations, or its financial condition. However, the Company also recognizes the reality of the ever-evolving cyber risk landscape faced by industries and businesses across the world. Depending on their source and nature, cyber incidents could in the future materially affect CPKC and its operations, and financial condition.

See “Risk Factors” in Part I, Item 1A of this Form 10-K for further information about information and cybersecurity risk.

Governance and Oversight
The Board of Directors oversees the work of all of its committees, including the Risk and Sustainability Committee. The Risk and Sustainability Committee is responsible for overseeing the Company’s strategic and integrated risk practices, including its approach to management and assessment of cybersecurity risks. The Chief Information Officer (CIO) provides annual and periodic updates to the Risk and Sustainability Committee and the Board of Directors on cybersecurity risks and the Company’s implementation of its strategy for mitigating such risks. In addition, the Company’s Chief Information Security Officer (CISO) also briefs the Risk and Sustainability Committee. The Audit and Finance Committee receives updates on information systems and cybersecurity audit and advisory engagements from the Chief Internal Auditor.

The CISO reports directly to the CIO and is responsible for:
Overseeing and implementing CPKC's cybersecurity strategy;
Aligning cybersecurity objectives with the overall business objectives;
Ensuring compliance with regulatory directives related to cybersecurity;
Promoting a cybersecurity culture through comprehensive awareness and training programs; and
Managing and coordinating incident response activities.

The Company's cybersecurity risk management program is supervised by the Managing Director of Enterprise Security who reports directly to the CISO. The Chief Information Officer and CISO regularly update senior leadership and the executive committee on cybersecurity risks.

The CISO, CIO, and certain members of their management team who are involved in implementing the Company's cybersecurity program possess expertise in cybersecurity risk management. Our CISO and CIO each have many years of experience in designing and implementing cybersecurity frameworks and working to mitigate cyber threats. Among other qualifications, certain members of the CISO's and CIO's management team also have certifications as a CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager).



24 / CPKC 2023 ANNUAL REPORT