KAISER ALUMINUM CORP - (KALU)
10-K Filing Date: February 22, 2024
Risk Management and Strategy
We employ information systems to support our business. As is the case for other manufacturing companies of comparable size and scope, we, from time to time, experience attempted cyber-attacks on our information system. We also face risks associated with other potential significant failures or disruptions of our information technology networks. We utilize a risk-based, multi-layered information security approach that incorporates some of the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”). We have adopted and implemented this approach to identify and mitigate information security risks in a manner that we believe is commercially reasonable for manufacturing companies of our size and scope.
The review of cybersecurity risks and threats is integrated into our enterprise risk management (“ERM”). Our ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned risk owners to establish action plans and implement risk mitigation strategies. The cybersecurity threat risk action plan is managed at the enterprise level by our Chief Information Officer (“CIO”). Management employs in-depth defense mechanisms throughout the enterprise. We regularly engage and consult with independent third-party consultants as part of our overall ERM, including penetration testing and periodic tabletop exercises to better prepare us for potential cyber threats. We also conduct annual information security training to educate employees and make them aware of information security risks and to enable them to take steps to mitigate those risks. As part of this program, we take reasonable steps to provide our executive management and employees who may come into possession of confidential financial information with appropriate information security awareness training. In addition, we employ multi-factor authentication and vulnerability management to mitigate and/or prevent cybersecurity incidents.
27
A cybersecurity incident may be detected in a number of ways, including, but not limited to, through automated reporting mechanisms, network and system indicators, intrusion detection systems, employee reports, law enforcement reports, or other third-party notification. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third-party service providers, the Company maintains a cybersecurity operations team with round-the-clock monitoring, and the CIO and Director of Cybersecurity receive regular reports on industry activity. Upon receiving notification of a cybersecurity incident, the cybersecurity operations team acts to isolate and contain the threat. The CIO along with the Director of Cybersecurity will consult and determine the incident severity level, which determines whether the incident should be escalated. Critical and high severity incidents must be reported to our President and Chief Executive Officer, Executive Vice President and Chief Financial Officer, Executive Vice President, Chief Administrative Officer and General Counsel and Executive Vice President - Manufacturing. The Company may engage third-party experts for assistance with crisis management, including forensic investigations, ransom negotiation, or crisis communication. During this process, the cybersecurity operations team will take steps to preserve evidence as soon as possible, including, but not limited to, memory dumps, log preservation and forensic hard drive collection. In addition, our Executive Vice President, Chief Administrative Officer and General Counsel, in consultation with the CIO and Director of Cybersecurity, will promptly evaluate whether the incident requires legal notifications or disclosure, including whether the incident requires disclosure under the U.S. securities laws. Following a cybersecurity incident, the Executive Vice President and Chief Financial Officer will direct the development of documentation regarding lessons learned in the response, including evaluation of preparedness capability, to continuously strengthen the cybersecurity posture of the Corporation.
Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business, strategy, results of operations, or financial condition. See “Item 1A. Risk Factors - Risks Related to Cybersecurity and Privacy” for additional information. While we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks and data or those of our third-party providers. In the event an attack or other intrusion were to be successful, we have a response team of internal and external resources engaged and prepared to respond. We also have a cyber risk insurance policy to help us mitigate risk exposure by offsetting costs involved with recovery and remediation in the event of a successful attack or other intrusion.
Governance
The Audit Committee is responsible for the review of risks relating to our information technology system, including cybersecurity, emerging cybersecurity developments and threats and our strategy for mitigating cybersecurity risks. Our entire Board of Directors is responsible for overseeing management’s risk assessment and risk management processes designed to monitor and mitigate information security risks. The CIO and Director of Cybersecurity reports on cybersecurity matters semi-annually to the Board, primarily through the Audit Committee. Management provides benchmarking information and updates on key operational and compliance metrics to the Audit Committee. In addition, cybersecurity training is provided to the Audit Committee, to educate directors on the current cybersecurity threat environment and measures companies can take to mitigate the risk and impact of cyberattacks.
As described above, management is actively involved in assessing and managing the Company’s material cybersecurity risks. The CIO and the Director of Cybersecurity primarily lead these efforts. The CIO, reporting to the Company’s Executive Vice President and Chief Financial Officer, manages the global information technology and cybersecurity programs. The CIO holds Bachelor’s and Master’s degrees in Business Administration, specializing in information systems and quantitative methods from Loyola Marymount University. The CIO maintains over 25 years of information technology expertise with extensive experience in enterprise risk management, including analysis, development, evaluation, and testing of control objectives and procedures to mitigate risks. The Director of Cybersecurity oversees and helps to ensure appropriate capabilities and controls are implemented in the areas of network security, endpoint protection, data protection, incident response, identity, and access management. Additionally, in this role, the Director of Cybersecurity works closely with 3rd party security partners surrounding monitoring and incident response services.
28