Cooper-Standard Holdings Inc. - (CPS)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
One of our organization’s top priorities is protecting Cooper Standard’s digital assets, and we increasingly rely on data and digital transactions to operate efficiently and effectively. We take action to prevent potential impacts related to system outages, data breaches, cyber-attacks and other threats to avoid disruption to our daily operations. Cooper Standard prioritizes increasing efficiency and efficacy as we design and refresh prescriptive incident response procedures to minimize impacts of potential cyber-attacks or outages. From time to time, the Company engages in table-top exercises, which involve cross-functional business leaders. Our information technology (“IT”) professionals focus on improving existing controls as outlined by ISO/IEC 27001:2022 (an internationally recognized information security framework), which is the foundation of our cybersecurity program. In recent years, we made advancements in this space by conducting a risk assessment carried out by an independent third-party and adding new cyber advisory services as described further below.
We annually contract with a well-known third-party to conduct a comprehensive, enterprise-wide risk assessment. In addition to other mandates, this assessment evaluates Cooper Standard’s cybersecurity program from a risk perspective and assesses our IT controls for alignment with the ISO/IEC 27001:2022 information security framework. Based on the assessment results, we refresh the roadmap for our cybersecurity program, focusing on the highest-risk vulnerabilities first and monitoring for significant changes and emerging risks, continuously adjusting the roadmap as needed.
Our cybersecurity program is built on a collection of fundamental security controls, focused on the overall protection of company and stakeholder data. Company leadership has defined the following objectives for information security:
•Governance: Establish proper governance for the cybersecurity program.
•Security Operations & Data Protection: Create a secure digital operating environment (apps, networks, systems, etc.) designed to protect critical data and to prevent business disruption.
21
•Response and Recovery: Develop and practice incident response, business continuity and disaster recovery processes to minimize the impact of a major incident.
•Compliance & Effectiveness: Meet all compliance requirements and develop program metrics to ensure effectiveness.
To achieve these objectives, we emphasize fundamental security measures, such as access controls, cyber hygiene (e.g., patching and malware protection) and employee awareness training.
Third-party risk management is an important focus of the Cooper Standard cybersecurity program. Cybersecurity is evaluated and considered throughout the lifecycle (onboarding, ongoing operations, offboarding) of third-party relationships as we conduct business with them. We review the security posture of each third-party prior to initiation of the relationship, and periodically throughout the relationship. We evaluate several aspects of information security, utilizing guidance from globally recognized frameworks (e.g., ISO 27000:2022). Critical service providers are also required to submit independently certified assurance of their security controls based on internationally recognized standards (e.g., ISEA 3402, SOC 1, SOC 2, etc.). Finally, upon relationship termination, we ensure each third party is properly offboarded, addressing critical cybersecurity concerns such as eliminating access and obtaining and/or deleting Company data.
Cooper Standard continuously works to update and strengthen our Incident Response (“IR”) program, which defines response procedures and prescriptive controls designed to streamline response to incidents, when and if they occur. Our designated cross-functional Incident Response Team (“IRT”) consists of leaders from human resources, global communications, legal, internal audit and information technology. Cooper Standard’s IRT is dedicated to maintaining a culture of continuous improvement, taking into consideration lessons learned from table-top exercises and feedback from the third-party expert with whom we annually contract.
While we have experienced threats to our data and systems, to date, we have not experienced a cybersecurity incident that has materially affected our business strategy, results of operations, or financial condition. That said, a significant cybersecurity incident may materially impact the Company’s business strategy, results of operations and financial condition in the future. For further information regarding cybersecurity risks to the Company, see Part 1, Item 1A, Risk Factors, “A disruption in, or the inability to successfully implement upgrades to, our information technology systems, including disruptions relating to cybersecurity as well as data privacy concerns, could adversely affect our business and financial performance.”
Governance
We align our cybersecurity and IT compliance programs to take advantage of natural synergies and our IT controls environment. Our Senior Vice President, Chief Information Technology Officer, who has more than 25 years of experience in technology and information security risk management in our industry and across a number of organizations, is responsible for overseeing the risks related to cybersecurity. Our cybersecurity team holds several cybersecurity industry certifications such as ISC2 CISSP, ISACA CISM and EC-Council CEH.
The Cooper Standard IT leadership team manages the global cybersecurity and IT compliance organization, and the Senior Vice President, Chief Information Technology Officer directly reports updates to the Audit Committee of the Board of Directors at least twice annually and the full Board of Directors at least annually. Further, our cybersecurity team periodically reports to our Global Leadership Team (“GLT”). Data privacy, cybersecurity and digitization is also managed as a material topic as a part of our Enterprise Risk Management (“ERM”) Committee which ensures cybersecurity risks are integrated into our overall risk management. From an accountability perspective, our internal audit team independently assesses the cybersecurity program by evaluating the design and effectiveness of our controls. We have an Architecture Review Board (“ARB”) which reviews new IT initiatives to ensure they align with our digital strategy. Similarly, our Project Management Office (“PMO”) monitors those initiatives throughout implementation to ensure proper communication and seamless transition. The ARB and PMO processes include cybersecurity requirements designed to ensure this topic is considered from the beginning.
22