AMERICAN AXLE & MANUFACTURING HOLDINGS INC - (AXL)

10-K Filing Date: February 16, 2024
Item 1C.Cybersecurity

Cybersecurity Risk Management, Strategy and Governance

We rely upon information technology (IT) networks and systems to process, transmit and store electronic information, and to manage or support a variety of critical manufacturing and business processes or activities. Additionally, we and certain of our third-party vendors collect and store personal or confidential information, including personally identifiable information, in connection with human resources operations and other aspects of our business. The secure operation of these information technology networks and systems and the proper processing and maintenance of this information are critical to our manufacturing and business operations.

We have developed and implemented robust processes for identifying, assessing and managing risks from cybersecurity threats. Cybersecurity risk is included in AAM’s “Top Risks Assessment” under our enterprise risk management program as identified and monitored by our Risk Management Working Group. This group is comprised of leadership from the major functions within AAM and the enterprise risk management program includes the identification and continuous evaluation of the risks associated with the systems and information most critical to AAM and the processes and controls in place to protect the systems and information.

In addition, the AAM Information Security Council (ISC), comprised of leadership representatives from across the organization, meets periodically to discuss current threats and trends and the resulting information security initiatives and priorities. The ISC members provide support for policy changes and insights into how the information security team can most effectively educate, communicate, and support AAM. The ISC is led by AAM’s Chief Information Security Officer (CISO), our frontline business leader with regard to cybersecurity risk management. AAM’s CISO has been an IT professional in various capacities for over 25 years and maintains the following certifications: Certified CISO, Certified Information Systems Security Professional, Certified Cloud Security Professional, and Certified Information Privacy Technologist.

Further, in support of our information security program, we utilize certain third-party service providers, primarily in the following capacities: 1) incident response partners that assist with performing incident simulations and who are available to assist in the event of an actual cybersecurity incident; 2) consultants to conduct penetration testing on AAM systems and certain third-party systems, as necessary; and 3) auditors to assist with testing IT controls and performing gap analysis over IT processes and procedures. AAM’s CISO manages and monitors these third-party service provider relationships and works closely with AAM’s information security, procurement, legal and internal audit departments to ensure proper evaluation and security assessment of critical third-party service providers and data processors.

Our Board of Directors and its committees play an active role in overseeing our key risks. Our cybersecurity risk management processes and strategy are governed by the Audit Committee of our Board of Directors. Management provides quarterly reports to the Audit Committee that include, among other items: 1) AAM’s cybersecurity scorecard, which includes certain key performance indicators (KPIs) and provides quantitative measures of these KPIs; 2) industry security trends and outlook; 3) an update on AAM’s security program and roadmap; 4) current quarter IT security accomplishments; and 5) IT security priorities for the following quarter. In addition, on an annual basis, management reports to the Audit Committee the results of our system availability and disaster recovery testing for AAM’s enterprise systems, as well as the results of our incident response testing and corresponding action plans.

Although no cybersecurity incidents during the year ended December 31, 2023 had a material impact on our strategy, financial condition or results of operations, the scope and impact of any future incident cannot be predicted. See Item 1A. Risk Factors for additional discussion regarding AAM’s IT and cybersecurity risks.

21