PEABODY ENERGY CORP - (BTU)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Peabody uses digital technology to conduct its business operations and engage with its customers, vendors and partners. As the Company invests in technologies such as cloud, analytics, automation and artificial intelligence, it strives to provide the necessary controls to protect these digital assets from continuously evolving cybersecurity risks.
Peabody’s cybersecurity strategy emphasizes reduction of cybersecurity risk exposure and continuous improvement of its controls and policies based on industry recognized best practices for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). This strategy includes: (i) proactive management of cybersecurity risk to ensure compliance with contractual, legal and regulatory requirements; (ii) performing due diligence on third parties to ensure they have sound cybersecurity practices in place; (iii) ensuring essential business services remain available during a business disruption; (iv) annual cybersecurity assessments to include NIST CSF maturity assessments, penetration testing and red team assessments, as well as table top exercises with subsequent remediation of key findings; (v) participation in Information Sharing and Collaboration industry groups; (vi) maintaining an updated cybersecurity policy and incident response plan; (vii) exercising cyber incident response plans and risk mitigation strategies to address potential incidents should they occur; and (viii) annual cybersecurity awareness training for all employees and directors, including formal training and simulated phishing events.
Third-party experts are engaged to conduct NIST CSF maturity assessments, penetration testing assessments, periodic red team assessments and table top exercises. At a minimum, at least one of these assessments is conducted annually by a third-party expert. Peabody also engages a third-party expert to assess the risk of its business and operational vendors.
Peabody’s enterprise risk management (ERM) framework considers cybersecurity risk alongside other company risks as part of the Company’s overall risk assessment process. The ERM team collaborates with the Chief Information Security Officer (CISO), to gather insights for assessing, identifying and managing cybersecurity threat risks, their severity, and potential mitigations.
Governance
Peabody’s Board of Directors maintains direct oversight over cybersecurity risks and oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives to enhance long-term performance and stockholder value. The Board, as a whole, and through its committees, is responsible for the oversight of risk management and Peabody’s management is responsible for the day-to-day management of the risks the Company faces. Senior leadership, including Peabody’s CISO, regularly briefs the Board on cybersecurity matters and the Board is informed of cybersecurity incidents deemed to have a moderate or higher business impact, even if such incidents are determined to be immaterial, on an ongoing basis.
Peabody’s global cybersecurity department is responsible for overall cybersecurity strategy, policy, operations and cybersecurity incident response. Team members who support the Company’s cybersecurity program invest in ongoing skills development including maintaining industry recognized certifications such as the ISC2 CISSP, GIAC GCIH, Comp TIA Security+, as well as platform specific certifications focused on Peabody’s current cybersecurity infrastructure.
Impact of cybersecurity risks on business strategy, results of operations or financial condition
While Peabody has experienced cybersecurity incidents in the past, to date none have materially affected the Company’s business strategy, results of operations or financial condition. Peabody continues to invest in the cybersecurity and resiliency of its networks and to enhance its internal controls and processes, which are designed to help protect its systems and infrastructure, and the information they contain.
Peabody Energy Corporation | 2023 Form 10-K | 41 |
For more information regarding the risks the Company faces from cybersecurity threats, refer to Item 1A. “Risk Factors.”