FREEPORT-MCMORAN INC - (FCX)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We maintain a cyber risk management program designed to assess, identify, manage, mitigate and respond to cybersecurity threats and incidents. We seek to address material risks from cybersecurity threats through a cross-functional approach, and we utilize various processes to inform our identification, assessment and management of material risks from cybersecurity threats. Our cyber risk management program is integrated into our overall enterprise risk management (ERM) program. Cybersecurity risks are identified and assessed through our ERM program, which is designed to provide cross-functional executive insight across the business to identify and monitor risks, opportunities and emerging trends that can impact our strategic business objectives. The underlying controls of our cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework.
We utilize dedicated internal and external cybersecurity personnel to focus on assessing, detecting, identifying, managing, preventing and responding to cybersecurity threats and incidents. Our approach to cybersecurity incorporates a layered portfolio of technology controls, including strategic partnerships for our cybersecurity platforms, documented policies and procedures, end user training and dedicated resources to manage and monitor the evolving threat landscape, including through the gathering of actionable threat intelligence. We maintain and periodically evaluate and, as needed, update our information security policy and an incident response plan, which describes the processes we use to prepare for, detect, respond to and recover from a cybersecurity incident,
70
including processes to assess severity, escalate, contain, investigate and remediate an incident, as well as to comply with potentially applicable legal obligations.
We regularly evaluate and assess the threat landscape and our security controls, including through audits and assessments, regular network and endpoint monitoring, vulnerability testing, penetration testing and tabletop exercises that include senior management. To assess the design and effectiveness of our cybersecurity controls, we engage with assessors, consultants, auditors and other third parties, including through independent third-party reviews of our information technology security program conducted on at least an annual basis. We also have processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers, including performing diligence on certain third parties that have access to our systems, data or facilities that store such systems or data, continually monitoring cybersecurity threat risks identified through such diligence and contracting to manage cybersecurity risks in specified ways such as agreements to be subject to periodic cybersecurity audits.
We have experienced targeted and non-targeted cybersecurity incidents in the past, including an incident in August 2023 that affected certain of our information systems and resulted in temporary disruptions to parts of our operations. However, prior cybersecurity incidents, including the August 2023 incident, have not materially affected us. Notwithstanding our cyber risk management program, we may not be successful in preventing or mitigating a cybersecurity incident that could materially affect us, including our business strategy, results of operations or financial condition. Refer to Item 1A. “Risk Factors” for further information on the risks we face from cybersecurity threats.
Governance
Our cybersecurity risk management and strategy processes are led by our Chief Information Officer (CIO) and our Chief Information Security Officer (CISO). Our CIO and CISO are responsible for assessing and managing our material risks from cybersecurity threats and are informed about and oversee the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of, and participation in, our cybersecurity risk management and strategy processes described in “Risk Management and Strategy” above. These individuals collectively have over 55 years of prior work experience in various roles involving managing information and operational technology security, cybersecurity and operational technology risk management, developing cybersecurity strategy, implementing effective information technology and cybersecurity processes and procedures, and experience in managing regulatory compliance, as well as several relevant degrees and certifications, including one individual with the Certified Information Systems Security Professional certification.
Our ERM management committee is responsible for providing input and oversight on our ERM program, including cybersecurity risks. Our ERM management committee is comprised of senior leaders, including our CIO, with responsibility across operations and core business functions, and with a breadth of knowledge, influence and experience covering the risks we face. An annual report on our enterprise risks, including cybersecurity risks, is presented to the Audit Committee and/or the full Board of Directors (Board).
While management is responsible for the day-to-day management of cybersecurity risks, our Board and Audit Committee have ongoing oversight roles. Our Audit Committee has responsibility for, among other things, oversight of our information technology and cybersecurity processes and procedures, including oversight of risks from cybersecurity threats. The Audit Committee reviews and discusses with management, including reports from our CIO, at least annually:
•the adequacy and effectiveness of our information technology security processes and procedures,
•the assessment of risks and threats to our information technology systems,
•the internal controls regarding information technology security and cybersecurity, and
•the steps management has taken to monitor and mitigate information technology security and cybersecurity risks.
The Audit Committee also periodically receives reports on notable cybersecurity incidents. The Audit Committee periodically briefs the full Board on these matters.
71