SunCoke Energy, Inc. - (SXC)
10-K Filing Date: February 22, 2024
Item 1C.Cybersecurity
Cybersecurity Risk Management, Strategy, and Governance
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K, to protect the confidentiality, integrity and availability of our critical systems and information. Our enterprise risk management program considers cybersecurity threats as part of our overall risk assessment process. We perform these risk assessments to inform our risk mitigation strategies and prioritize cybersecurity initiatives. Our cybersecurity risk assessment process includes network and endpoint monitoring, vulnerability assessments, and penetration testing, and we believe helps identify our cybersecurity threat risks by aligning our processes to standards set by the National Institute of Standards and Technology (“NIST”). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. The results of our cybersecurity assessments are regularly shared with senior management and the Board of Directors. Additionally, we have implemented technologies, controls and processes to aid in our efforts to assess, identify, manage, and monitor material cybersecurity risks, their severity, and potential mitigation. We regularly review and update our cybersecurity processes to help address the evolving cybersecurity landscape and legal requirements, providing clear guidelines for our employees and third-party service providers.
Governance Structure and Risk Management Functions
Cybersecurity is an integral part of our risk management processes. Our cross-functional risk management team evaluates cybersecurity risks alongside other operational, financial, and reputational risks, facilitating effective resource allocation and coordinated mitigation strategies. In 2021, we updated our Audit Committee charter to memorialize the Committee’s role in reviewing cybersecurity matters. The Audit Committee oversees the initial assessment of cybersecurity threats as well as the Company’s approach to management and mitigation of such risks, compliance with industry standards related to cybersecurity, and the Company’s public disclosures related to cybersecurity matters. In addition, our Board of Directors devotes regular attention to oversight of cybersecurity risks. At least annually, the entire Board of Directors receives an update from our Chief Information Officer (“CIO”) detailing our cybersecurity threat risk management and strategy processes. This update covers topics such as data security posture, results from assessments conducted by third parties, progress towards security goals, and any material cybersecurity developments, as well as steps taken in response to such developments. Our governance structure allows senior management and the Board of Directors to also remain involved in our cybersecurity strategy and risk management oversight, creating a comprehensive approach to our risk management.
Cybersecurity Leadership and Communication
Our CIO has experience in various roles implementing effective information and cybersecurity programs. The CIO reports to the Company’s Senior Vice President and Chief Financial Officer and maintains open channels of communication with the broader senior management team and the Board of Directors. The CIO leads our cybersecurity initiatives and is responsible for implementing our cybersecurity strategy, managing daily operations, coordinating incident responses, and providing regular updates to management, the Audit Committee and the Board of Directors regarding the Company’s cybersecurity status and risk assessments.
External Support and Third-Party Risk Management
Management continues to take steps to enhance our data security infrastructure and defenses. Our processes also address cybersecurity threat risks associated with using third-party service providers, including those in our supply chain or who have access to our customer and employee data, our information systems, or the facilities that house such systems or data. We engage outside third-party experts, cybersecurity advisors, and auditors to conduct regular risk assessments, penetration testing, and vulnerability analyses. Our enterprise risk management and cybersecurity-specific risk identification
27
programs include consideration of third-party risks and informs our selection and oversight of third-party service providers. We conduct appropriate due diligence on third-party service providers, vendors, and partners before establishing relationships with them, and we monitor such relationships on an ongoing basis. We also periodically review the Company’s cyber insurance policies to ensure appropriate coverage.
Incident Response and Vulnerability Management
In the event of a cybersecurity incident, our incident response plans are designed to respond with an incident response team to address any breaches. Our ongoing vulnerability management program complements our incident response capabilities. It includes periodic scanning, risk assessment, and patch management to address system and network vulnerabilities and help ensure that our infrastructure remains resilient against evolving threats.
As part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, and in our MD&A at Item 7 of this Annual Report on Form 10-K, we describe whether and how risks from identified cybersecurity threats, including any previous incidents, have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. These disclosures are incorporated by reference herein. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. This includes penalties and settlements, of which there were none.