INTERNATIONAL PAPER CO /NEW/ - (IP)
10-K Filing Date: February 16, 2024
RISK MANAGEMENT AND STRATEGY
The Company’s cybersecurity risk management processes are integrated into the Company’s overall risk management system. The Company has a formalized enterprise risk management program overseen by the Board of Directors and committees of the Board of Directors that addresses strategic, operational, financial, compliance, legal and information technologies and cybersecurity risks. In addition, the Enterprise Risk Management Council (“ERM Council”) is a management-level team comprised of senior vice presidents and other business leaders responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on the Company's business and financial results. The ERM Council regularly reports to the Board of Directors on areas of risk and risk management. The Chief Financial Officer serves as the ERM Council Lead. The Chief Audit Executive serves as the ERM Council Process Owner.
The Company has an Information Technology (“IT”) Risk Governance Program that aligns with the
22
enterprise risk management framework and assists with fulfilling oversight responsibilities for major IT risks, including cybersecurity risks. The IT Risk Governance Program identifies, defines, manages, measures and governs cybersecurity risks across the Company at an enterprise level. The IT Risk Governance Program is carried out by an IT Risk Identification and Mitigation Team (“IT RIM”), which is comprised of business leaders from information security, information technology, human resources, internal audit, legal, and risk. The IT RIM meets monthly, reviews all cybersecurity incidents meeting certain criteria, provides oversight with respect to cybersecurity matters at a management level, and reports to the ERM Council.
Our Risk Assessment Program
The Company has a risk assessment program in place to assess, identify and manage material risks from cybersecurity threats. Cybersecurity risks the Company faces include targeted attacks, ransomware, data theft, virus and intrusion software, as well as attacks to our website, financial applications, operational technology, telecommunications and human resources data. For a full discussion of cybersecurity risks facing the Company, please see Part I, Item 1A. Risk Factors - WE ARE SUBJECT TO CYBERSECURITY AND INFORMATION TECHNOLOGY RISKS RELATED TO BREACHES OF SECURITY PERTAINING TO SENSITIVE COMPANY, CUSTOMER, EMPLOYEE AND VENDOR INFORMATION AS WELL AS BREACHES IN TECHNOLOGY USED TO MANAGE OPERATIONS AND OTHER BUSINESS PROCESSES. Key aspects of the Company’s cybersecurity program include the following:
•layered technical protective capabilities and detective surveillance controls;
•utilizing independent third parties to assess the Company’s practices related to, and provide expertise and assistance with, various aspects of information security, as further described below;
•courses and awareness training on information security for employees with Company email or access to Company devices, including phishing, social engineering and other cybersecurity training as well as targeted training for specific roles based on responsibilities and risk level;
•global security and privacy policies; and
•business continuity, incident response and disaster recovery procedures, including table top exercises involving senior leaders.
The Company carries cyber insurance which provides coverage in connection with cybersecurity breaches.
Engagement of Third Parties
The Company engages third parties in connection with assessing, identifying and managing its cybersecurity risks, including the following:
•Engagement of an independent third party with incident response expertise to provide intelligence-based cybersecurity solutions and services to assist the Company with preparing for, preventing, investigating, responding to and remediating cybersecurity incidents, including attacks that target on-premise, cloud, and critical infrastructure environments.
•Engagement of an independent third party to conduct an annual security program assessment of the controls, maturity and performance of the Company’s information security program and the information security risk associated with the Company’s business systems. The assessment uses the National Institute of Standards and Technology Cybersecurity Framework as its benchmark.
•Engagement of a leading third-party service provider to annually perform an external and an internal penetration assessment using industry standard tools and techniques.
Additionally, our Internal Audit team conducts annual assessments of our cyber programs and controls.
Oversight of Third Parties
The Company has processes to oversee and identify material risks from cybersecurity threats associated with the Company’s use of third-party service providers. In this regard, the Company’s cybersecurity risk management program takes into account third-party systems whereby the Company could be impacted by the compromise of the security of vendors or other business relations of the Company, and the Company has a comprehensive third-party access management system. In addition, the Company conducts risk-based due diligence on the profiles of third-party service providers with respect to cybersecurity risks prior to engagement, and providers of critical services are continuously monitored with respect to security risks. The Company also requires service providers to provide prompt notification of any actual or suspected breach impacting Company data or operations.
The Company does not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition.
23
GOVERNANCE
Role of the Board of Directors and its Committees
International Paper has an integrated board and executive-level governance structure that oversees risks from cybersecurity threats. The Company’s Board of Directors has primary oversight of our enterprise risk management program, which includes cybersecurity risk. Moreover, the Board of Directors is supported in its oversight by the Audit and Finance Committee and PPE Committee, which share oversight responsibilities related to the Company’s information security programs. The Audit and Finance Committee reviews management’s cybersecurity and information security risk management programs and controls, including processes for management’s identification and reporting of material cybersecurity incidents. The PPE Committee reviews technology issues pertinent to the Company including those associated with information and operational technology, cybersecurity and data security and assesses related Company strategies.
Our Board of Directors, Audit and Finance Committee and PPE Committee each receives periodic updates on cybersecurity issues from management (including our Chief Information Security Officer (“CISO”)). For example, the CISO provides reports to the Audit and Finance Committee and PPE Committee regarding cybersecurity risks, as well as plans and strategies to mitigate those risks, at least annually. Furthermore, our ERM Council annually reports its activities either directly to the Board of Directors or through the Audit and Finance Committee.
Role of Management
At a management level, our cybersecurity risk management program is led by our CISO. Our current CISO has been with the Company for over 30 years, worked in Information Technology for over 25 years, and has led the Company’s security efforts since 2011. He was appointed as the Company’s first CISO in 2019. Our CISO stays current on cybersecurity issues and trends through continuing education activities such as participation at conferences and in webinars. Our CISO reports to the Chief Information Officer who oversees the Company’s information technology department.
The Company has also adopted a cyber-incident response plan which provides for controls and procedures in connection with cybersecurity events, including escalation procedures summarized below. The cyber-incident response plan is designed to address non-operational and operational cybersecurity events. Evaluation and response to cybersecurity events is led by our Cybersecurity
Incident Response Team (“CIRT”), under the direction of our CISO. The CIRT is comprised of subject matter experts representing Information Security, Information Technology, Operational Technology, and Legal. The CIRT performs an impact assessment with respect to cybersecurity incidents, gathers facts and provides a chronology of events in connection therewith, and leads remediation and recovery activities. Our General Counsel, Senior Vice President of Human Resources, Chief Ethics and Compliance Officer (or their respective designees), and CISO review and assess significant non-operational data breaches. Cybersecurity events that meet specified criteria for operational impact are escalated for further review to our Business Continuity Incident Command Team (“Incident Command Team”). The Incident Command Team performs an initial assessment that includes evaluation of the cybersecurity event’s severity, response required, and estimated business cost, and leads the execution of business continuity plans to maintain Company operations. Cybersecurity events meeting certain criteria are escalated to our Disclosure Committee, General Counsel and Chief Financial Officer for further review. The Disclosure Committee, General Counsel and Chief Financial Officer assess and determine materiality using the facts and chronology of events provided by the Incident Command Team.