BALL Corp - (BALL)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity

Risk management and strategy

Ball Corporation is committed to maintaining a strong cybersecurity posture. We have a dedicated, globally distributed information security team that is responsible for leading information security strategy, standards and processes, which are integrated into our comprehensive enterprise risk management process.

The company employs a standards-based cybersecurity program aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), including ongoing assessment and continuous improvement to address the rapidly evolving threat landscape. Ball partners closely with a strong network of external partners, including conducting annual assessments of the cyber risk management program against the NIST CSF.

Our information security team has designed and implemented formal processes for assessing, identifying and managing material risk from cybersecurity threats, both internally and related to the use of third-party service providers. Ball has strategically integrated its cyber incident assessment process with its well-defined incident response plan and processes.

20

In addition, we have aligned our incident response plan and process with our enterprise risk and global crisis management processes. These critical linkages ensure that we have an effective and efficient overall response to potential threats, with appropriate leadership governance involved in the ongoing cyber materiality assessment and determination.

In response to the ever-evolving cyber threat landscape, Ball utilizes external experts to support continuous improvement across our cyber program, processes and operations. This includes involving independent cybersecurity assessors and auditors to perform ongoing evaluation of our cyber program and operational maturity. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on cyber enhancements. These partnerships enable us to leverage specialized knowledge and insights to ensure our cybersecurity strategy and improvements remain aligned to critical improvements and address relevant threats and risks for Ball. In addition, we also augment and extend our cyber team, using a select few, trusted third-party partners, integrated as members of our global operations. This provides us with expanded global threat intel and enhances our ability to deliver continuous, global cyber operations 24/7.

We are aware of the increasing risks associated with third-party service providers and have implemented processes to oversee and manage these risks. Prior to engaging with third-party providers, Ball conducts thorough security assessments and also performs ongoing monitoring to ensure compliance with our cybersecurity standards. Third-party cyber incidents follow our incident response plan and processes, including full assessment and remediation. Our oversight of third-party cyber risk aids our ability to lessen and mitigate impacts related to data breaches and other security incidents originating from third-parties.

Ball faces risks from cybersecurity threats that could have a material adverse effect on the company, including its business strategy, results of operations, financial condition and reputation. Ball experiences cyber threats in the normal course of its business; however, prior cybersecurity incidents have not materially affected the company. Refer to Item 1A, Risk Factors – Technological Risks, for additional details on cybersecurity risks that could potentially materially affect the company, including its business strategy, results of operations, financial condition and reputation.

Governance

Ball’s Chief Information Security Director (CISD) reports to the Senior Vice President and Chief Information Officer (CIO) and leads the company’s cybersecurity team. The CISD is responsible for overseeing cybersecurity, including assessing and managing cybersecurity risk, and together with the CIO, providing comprehensive briefings to the executive leadership team with respect to the cybersecurity program and emerging or potential cybersecurity risks. The cybersecurity team has extensive experience selecting, deploying, and operating cybersecurity technologies, strategies and processes, and couples this knowledge with the use of external experts employed by Ball to protect the company from cyber threats.

Through our global security incident management plan, we aim to prevent potential cybersecurity incidents from becoming material with early detection, escalation, mitigation and remediation activities. If a cybersecurity threat is at risk of materially affecting our company, our cross-functional response team will enact our escalation processes to notify appropriate levels of management, along with the executive leadership team, disclosure committee, and Board of Directors, as necessary.

Our Board of Directors is responsible for providing oversight and governance with respect to IT and cybersecurity matters, which includes providing oversight over disclosure controls and procedures related to any cybersecurity breach occurrences and IT matters. Annually, the CIO briefs the Board of Directors on the company’s cybersecurity posture, the effectiveness of its risk management strategies, and the emerging threat landscape, which creates alignment of cybersecurity efforts with Ball’s risk management framework.

21