Sylvamo Corp - (SLVM)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

RISK MANAGEMENT AND STRATEGY

Our overall cybersecurity strategy is to:

Cultivate a security-embedded organization and culture within the Company
Extend security from technology throughout the Company’s organization, practices and processes (we call this our cybersecurity mesh)
Evolve our cyber resiliency.

To that end, we have robust cybersecurity risk management processes that include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and services and management oversight to assess, monitor, identify, detect and manage risks from cybersecurity threats, and to respond to, conduct forensic analysis of, escalate appropriately and report cybersecurity incidents. We proactively obtain intelligence about potential cybersecurity threats, hunt for cybersecurity threats and consistently work to enhance our cybersecurity operations.

We have adopted cybersecurity control principles based on the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security (CIS) and ISO 27001. Further, our cybersecurity controls are designed to comply with applicable laws concerning protection of private information, including the EU General Data Protection Regulation (GDPR), Brazil’s Lei General de Proteção de Dados Pessoais (LGPD) and the California Consumer Privacy Act of 2018 (CCPA).

In developing and implementing measures to assess, identify and manage cybersecurity risk, our approach is to evaluate the possible operational and financial effects of those measures and take that information into consideration in conducting a risk-based analysis of the appropriate cybersecurity protections for the Company. We strive to protect the Company with cost-effective, efficient and non-disruptive measures, while robustly protecting the Company against cybersecurity threats.

Our cybersecurity protections include physical, administrative and technical safeguards that cover both our information systems (also referred to herein as “information technology” or “IT” systems) and the people with access to our IT systems. We develop, maintain, test and periodically update detailed plans and procedures that are designed to help us prevent, and if necessary, timely and effectively respond to, cybersecurity incidents, which provide for the appropriate Company personnel and management to be involved depending on the type and severity of the incident.

Our IT systems architecture is embedded with cybersecurity features. We utilize a range of third-party software providing layers of defense against cyberattacks, and we have employees and consultants whose jobs are to continually assess and reduce the potential attack surface, to monitor, detect and respond in near real time to incidents to minimize damage, and to enhance the security environment and scale with business needs as they evolve. We conduct continuous monitoring of our potential cybersecurity vulnerabilities and attack vectors.

Our IT systems are accessible by our employees and certain third parties as necessary and appropriate to perform services for or otherwise do business with us. We strictly limit access to our IT systems, including that we use authentication controls and conduct real-time monitoring of access.

We address the cybersecurity threat risk posed by employees and third parties with access to our IT systems, including that we integrate cybersecurity risk management into the culture of our organization by: maintaining policies addressing various aspects of security necessary to protect our IT assets and data; requiring cybersecurity awareness and training programs for persons with access to our IT systems to build their cybersecurity skills and knowledge; consistent messaging to our employees (including from our top leadership) of the importance of managing cybersecurity risk, participating in our cybersecurity training and following our cybersecurity policies; and routinely testing responses by our employees to mock efforts to breach our cybersecurity protections.

We partner with and build relationships with third parties who have access to our IT systems to support an overall ecosystem around cybersecurity that we believe helps reduce third party cybersecurity risk affecting our level of cybersecurity risk. We
30


assess cybersecurity risk from our suppliers and service providers and have in place oversight processes to identify and manage such risks. Those processes are cross-functional and form part of our enterprise risk management program, and they are supported by our security, compliance and sourcing organizations. We require suppliers and service providers identified as potential cybersecurity risks to adopt security-control principles based on NIST or similar global standards, and our form contracts for them include provisions drafted to reduce the cybersecurity risk that they may pose for us. We obtain various Service Organization Control 1 and 2 reports from third parties relating to physical security, information security, account administration, transactional processing and reconciliation, client reporting and layers of electronic security controls. Notwithstanding our cybersecurity controls that cover third parties, because it is more difficult to control and mitigate risk associated with third parties than risk internal to our own organization, we believe that these relationships with third parties create additional exposure to cyber risk.

In the event of a cybersecurity breach, our readiness, responsiveness and resiliency are critical. As part of our continuing efforts to assess and enhance our readiness and responsiveness, we conduct periodic mock practice scenarios in which participants at various levels of the Company, including members of senior management and IT technical personnel, play out responses to various cybersecurity breach scenarios. Thereafter, we debrief and identify areas of improvement, to continually develop response capabilities and processes that are as efficient and that operate as quickly as possible in the event of a breach, to reduce potential harm that could be caused by inefficiencies and delay. Additionally, we regularly assess our systems’ resiliency and recovery capabilities in case of a cybersecurity breach, both self-managed as well as by qualified third parties.

Furthermore, our approach to improving readiness for potential cybersecurity breaches is designed to be integrated and coordinated among all aspects of the cybersecurity incident management lifecycle, including that we assess and consistently work to improve our site-level emergency response, our technology and cyber incident response, our executive-level crisis management, our business and operational continuity, our IT resilience and our disaster recovery. These efforts also take into account and balance against cybersecurity risk our Company’s business needs and operations, and to inform ourselves in conducting this balancing, we obtain input from appropriate employees from our affected business operations, enterprise risk management, business continuity, business operations, information technology and cybersecurity organizations.

To enhance our cybersecurity risk management, we leverage industry associations, third-party benchmarking, audits, threat intelligence feeds and other similar resources, which inform our cybersecurity efforts and help us determine how best to allocate resources. We utilize third-party service providers to assist us in assessing, enhancing, implementing, monitoring and testing our cybersecurity program, areas of cyber risk and cyber risk management.

A cybersecurity threat resulting in a material cybersecurity incident could materially affect us and our business strategy, results of operations and financial condition, especially if it causes one or more of the following to occur: our incurring substantial costs to resolve the incident and address legal, reputational and other fallout from the incident; one or more of our IT systems become unavailable to operate our business; unauthorized third parties gain access to our sensitive and confidential business information; we lose access to information on our IT systems necessary to operate our business; and our customers’ and suppliers’ trust in our ability to protect their information is damaged to the extent that it impairs our ability to do business with them.

While we have a cybersecurity program designed to protect and preserve the integrity of our information systems, we also maintain cybersecurity insurance to manage potential liabilities resulting from specific cyberattacks. There is no guarantee that our cybersecurity program will be sufficient to prevent or mitigate the risk of a cyberattack or the potentially serious reputational, operational, legal or financial impacts that may result. Also, there is no guarantee that our cyberattack insurance coverage limits will fully cover any future claims or that such insurance proceeds will be paid to us in a timely manner. We have experienced cybersecurity incidents in the past that were not material, but future incidents could have a material impact on our business strategy, results of operations, financial condition and reputation. See “We are subject to information technology risks related to breaches of security pertaining to sensitive company, customer, employee and vendor information as well as breaches in the technology used to manage operations and other business processes” in Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

GOVERNANCE

Our board of directors has overall responsibility for risk management oversight, with its committees assisting the board in performing this function based on their respective areas of expertise. Our board oversees cybersecurity matters and risk, and the Audit Committee also oversees risk that includes cybersecurity risk. The board periodically reviews our processes for assessing and addressing key strategic, operational, compliance and risk management matters concerning cybersecurity, and as part of such assessment receives briefings on such matters from our Chief Information Security Officer (“CISO”). These
31


briefings include reports on the threat landscape, our strategies, efforts and investments to address threats, and updates on incidents. The Audit Committee also receives reports from the Company’s Vice President of Internal Audit assessing internal controls that include cybersecurity controls. Furthermore, our cybersecurity risk management processes are integrated into our enterprise risk management program and our compliance risk management program, both of which are also overseen by our board.

Our CISO has approximately 20 years of experience in the cybersecurity industry. She is responsible for developing, coordinating and overseeing our cybersecurity strategy, policy, program and solutions, and for providing cybersecurity guidance to key management and internal company oversight bodies. Our CISO manages our cybersecurity organization, which covers all regions in which we operate and which is staffed with employees dedicated full-time to cybersecurity. Our CISO reports directly to our Chief Information Officer (“CIO”) and reports on cybersecurity at least quarterly to senior management and semi-annually to the full board of directors, or more often as needed.

Our CISO is a standing member of our Enterprise Risk Council, which seeks to strengthen our company’s processes with respect to the identification, assessment, management and monitoring the risks most likely to impact our strategic success, including cybersecurity risk. The council is chaired by our VP, Internal Audit, and its members are employees drawn from various areas of our organization. The council meets at least quarterly or more often as needed, to further strengthen risk management activities across the Company, including the risk of cybersecurity incidents.

Cybersecurity threats and incidents are monitored and addressed through the processes described above in “- Risk Management and Strategy” and, as part of such processes, cybersecurity incidents are evaluated by the company’s cybersecurity organization, which escalates information about incidents, as appropriate for the severity of the incident, to the CISO and by the CISO to senior leadership.

The CISO informs, as appropriate, the Enterprise Risk Council, the CIO, the Company’s senior leadership and, as noted above, the board of directors and its Audit Committee, on safeguards to prevent, detect, mitigate and remediate cybersecurity incidents. The CIO and CISO both report directly on a regular basis to the Company’s senior leadership on progress towards specific IT risk management objectives, with the CISO focusing on cybersecurity objectives.