VISTEON CORP - (VC)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Governance
Responsibility for assessing cybersecurity risk includes, but is not limited to, input from our Board of Directors (the "Board"), including the Audit Committee of the Board (the “Audit Committee”), senior management and the Crisis Management Team (a taskforce comprised of representatives from primary corporate and operational functions). These groups devote significant resources to cybersecurity and the risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Visteon’s internal cyber information technology (“IT”) security team oversees and works collaboratively with various information security service providers using the National Institute of Standards and Technology (NIST) framework to regularly assess the threat landscape and support a layered cybersecurity strategy based on prevention, detection and mitigation.
The Company’s Chief Information Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Audit Committee and to the full Board. Our Chief Information Officer has over two decades of experience leading cyber security oversight. The Cyber IT security team has multiple years of experience and/or are security certified (e.g., CISSP).
Risk Management, Strategy and Testing
15
The Audit Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Audit Committee is updated quarterly on the Company’s cybersecurity status including discussion of management’s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. The Audit Committee’s review also includes review of recent enhancements to the Company’s defenses and management’s progress on its cybersecurity strategic roadmap. In addition, at least two times per year, the full Board reviews key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats.
The Company’s cybersecurity risk management program incorporates external guidance and expertise through the use of third-party service providers to assist in the identification, assessment and management of risks specific to cybersecurity threats, including vendors providing threat intelligence, risk mitigation, dark web monitoring, external scanning and scoring, threat and reputation monitoring, forensics, cyber-insurance, advisory services and legal counsel. Visteon engages a managed security service provider to augment its cyber IT security team and to provide additional monitoring capabilities. Visteon’s cyber IT security team reviews enterprise risk management-level cybersecurity risks regularly, and key cybersecurity risks are incorporated into the annual corporate-wide Enterprise Risk Management assessment. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include an IT security manual as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. The Company has also obtained Trusted Information Security Assessment Exchange (TISAX) certification labels at multiple global locations.
The Company periodically performs simulations and tabletop exercises at a management level and incorporates external resources and advisors as needed. All employees are required to periodically complete cybersecurity training and have access to more frequent cybersecurity training through online modules.
The company regularly tests defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing its operational policies and procedures with third-party experts. At the management level, our cyber IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. Our cyber IT security team conducts regular reviews of third-party hosted applications with a specific focus on any sensitive data shared with third parties. Internal audit works with internal business owners of the hosted applications to document user access reviews annually and receive from the vendor a System and Organization Controls (“SOC”) report. If a third-party vendor is not able to provide a SOC 1 report, the Company takes additional steps to assess their cybersecurity preparedness and assess our relationship on that basis.
The Company has certain products it manufactures that are more susceptible to cybersecurity threats and for those products the Company has additional specific cybersecurity risk assessments and management processes in place that aligns our internal policies, standards and development practices with customer requirements and industry standards, including the International Organization for Standardization ("ISO") 21434 control framework specific to road vehicle cybersecurity engineering. Visteon’s product level cybersecurity management is led by a separate team within the engineering department with the leader of that team reporting at least twice per-year to the Technology Committee of the Board on the risks and processes related to product level cybersecurity threats.
Visteon faces a number of cybersecurity risks in connection with its business. Although such risks have not, to date, materially affected the Company or the results of operations or financial condition the Company has from time-to-time experienced threats to and breaches of its data and systems, including malware and computer virus attacks. Despite the extensive approach Visteon takes to cybersecurity, the Company may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company or its stakeholders. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.