Alcoa Corp - (AA)
10-K Filing Date: February 21, 2024
Risk Management and Strategy
The Company’s processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall Enterprise Risk Management (ERM) process. As part of the ERM, the Company focuses on developing multi-layered, collaborative processes to identify, monitor, and manage risks from cybersecurity threats. Risks are grouped into categories that management can then assess, monitor, and prioritize based on the likelihood of an occurrence, level of impact, and mitigating factors.
Our various cybersecurity risk management processes apply to various functions, including but not limited to, third-party suppliers and vulnerability management. We employ processes and technologies to bring visibility to, and protect against, cybersecurity risk, to include real time monitoring of network traffic. The Company also has a comprehensive body of policies and standards for assessing, identifying, and managing material risks from cybersecurity threats, including an incident response plan, business continuity plan, crisis management plan, as well as disaster recovery mechanisms, which are tested and updated. Additionally, the Company employs staff that are specifically dedicated to raising cybersecurity awareness and training within the organization.
The Company engages third party assessors, consultants, and auditors to assist in assessing, identifying, and managing risk from cybersecurity threats. Third parties assist the Company by (i) providing regular penetration testing and vulnerability assessments; (ii) assessing and maintaining our formal incident response policies, including through the use of tabletop testing; and (iii) providing multiple sources of threat intelligence information that are fed directly into our technical security platforms, including ongoing network monitoring. The Company also has a comprehensive third party information security audit program in place.
Alcoa has implemented processes designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to a security risk assessment prior to engagement to determine if they meet defined levels of security capabilities. Our master services agreements with third party service providers generally carry a number of security requirements, including audit rights for the Company. After engagement, third party service providers are subject to regular audits in which contract owners within Information Technology Automated Solutions (ITAS) validate that any certifications a vendor had upon engagement are maintained throughout the life of the agreement.
We have in the past experienced attempts and incidents by external parties to penetrate our, our service providers’, and our business partners’ networks and systems. Such attempts and incidents to date have not had a material adverse effect on our business, financial condition, or results of operations. See Part I Item 1A of this Form 10-K for more information on risks.
Governance
The Alcoa Board of Directors (Board), in coordination with the Audit Committee, is responsible for the oversight of our cybersecurity risk management program. The Audit Committee and the Board receive regular updates regarding the state of the Company’s cybersecurity program, cybersecurity developments, and emerging threats. The Chief Information Security Officer (CISO) and the Chief Information Officer (CIO) regularly update the Audit Committee and the Board regarding the Company’s strategy to mitigate cybersecurity risks, which includes regular vulnerability assessments and employee training on cybersecurity matters. Alcoa’s CISO is responsible for maintaining identified material cybersecurity risks within the Company’s ERM platform. On a quarterly basis, the CISO reviews and updates risks, as well as the control procedures in place. These risks are regularly reported to the Audit Committee and Board.
Alcoa’s CISO has twenty-five years of experience in Information Technology, carries multiple certifications in information security, and has extensive cybersecurity risk management experience in manufacturing organizations. The CISO closely collaborates with the CIO and Chief Financial Officer (CFO) in managing material risks from cybersecurity threats. Alcoa also maintains an information security steering committee, which oversees current and emerging cybersecurity risks to the Company. The steering committee is comprised of a cross-functional team of leaders from across Alcoa’s business groups, including the CISO and CIO.
The Company has established comprehensive incident response plans that set forth the processes through which cybersecurity incidents are managed, including how management is informed of cybersecurity incidents. As part of these plans, incidents are evaluated, classified, and elevated to an executive team which includes the CISO and executives on the Crisis Response Team. Once elevated, these executives are ultimately responsible for the management, mitigation, and remediation of incidents.
31