BERKSHIRE HATHAWAY INC - (BRK.B)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity

Berkshire recognizes that maintaining processes for identifying, assessing, and managing cybersecurity threats is important in dealing with its significant business risks. As such, Berkshire has implemented a framework for cybersecurity and cyber-related information management across Berkshire’s diverse groups of businesses. The framework permits each Berkshire Business Group (“Business Group”) to tailor solutions to identify, manage, and mitigate risks based on their own assessment of their unique cybersecurity risks in conjunction with each Business Group’s overall risk management processes. At the same time, the framework helps enable consistent and appropriate compliance in reporting material cyber events and risks across Berkshire.

Each Business Group’s Chief Information Security Officer (“CISO”) on at least an annual basis is to provide a report to the Business Group’s senior management, regarding the state of their cybersecurity program and its material cyber risks. These reports are also shared with Berkshire’s internal audit group to inform and enhance the overall company’s risk management processes. In addition, each Business Group is required to maintain an incident reporting process to report significant cybersecurity events to Berkshire. Berkshire and its Business Groups engage and partner with a wide range of third parties to assess, audit, educate, implement, operate, protect, and remediate various cybersecurity related elements.

K-28


 

Berkshire and its Business Groups rely on third-party service providers for a variety of products and services to run their information systems. This dependence exposes us, along with others who use these service providers, to the impact of a cyber-attack on their service providers. On occasion, a cyber-attack at a third party service provider could have a significant financial, operational or reputational impact to Berkshire. Berkshire and its Business Groups continuously monitor the risks associated with its service providers.

The Audit Committee of Berkshire’s Board of Directors has responsibility for oversight of Berkshire’s cybersecurity risk management program. The Audit Committee receives periodic reports regarding the number of and impact from cybersecurity incidents reported through Berkshire’s cybersecurity incident reporting process. Additionally, the Audit Committee is updated on cybersecurity trends and common deficiencies. Furthermore, the Audit Committee approves and receives updates on the workplan performed by Berkshire’s internal audit group that focuses on information technology and cybersecurity risks. This includes audit procedures related to internal and external penetration testing, attack simulations, vulnerability assessments, cybersecurity program reviews and other audits designed to investigate specific risks. The frequency of these updates is determined by the Audit Committee in conjunction with Berkshire’s senior management.

In addition to the Audit Committee’s oversight, the senior management of Berkshire’s Businesses Groups are responsible for the day-to-day operations of protecting their businesses’ information systems. Each Business Group is required to report significant cybersecurity events to Berkshire. Berkshire’s senior management reviews incident reports to determine whether a cyber incident report should be filed with the SEC.