Axalta Coating Systems Ltd. - (AXTA)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The availability of our products and services and fulfillment of our customer obligations depend on the continuing operation of our information technology and communications systems. Accordingly, cybersecurity represents a critical component of the Company’s overall approach to risk management. The Company’s cybersecurity policies, standards and practices are integrated into the Company’s enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by the Board, as described below, acting through the Audit Committee. The Company’s cybersecurity policies, standards and practices leverage recognized frameworks established by the International Organization for Standardization.
The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the goals of implementing and maintaining preventative controls, identifying and monitoring threats and maximizing chances of recovery in the case of a cybersecurity incident.
The Company periodically engages assessors, consultants, auditors and other third parties to assess our cybersecurity programs, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The Company attempts to adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. In engaging with third-party providers that will have access to certain sensitive Company data, the Company performs a cross-functional due diligence review and attempts to identify risks posed by engaging such third-party providers, and, where feasible, seeks to obtain contractual commitments from such third parties with respect to such engagement. The Company maintains cybersecurity insurance with coverage for security incident response expenses, certain losses due to network security failures, investigation expenses, privacy liability and certain third-party liability, subject to certain deductibles, exclusions and policy limits.
Governance and Oversight
The Board and the Audit Committee are responsible for overseeing the Company’s ERM processes, with the Audit Committee being tasked with overseeing cybersecurity risks facing the Company. Throughout the year, the Audit Committee receives relevant updates from management on cybersecurity matters, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the overall threat environment, technological trends, global employee training and efforts to enhance the Company’s cybersecurity capabilities and preparedness. Relevant matters are also reviewed with the full Board on at least an annual basis.
The Company’s Chief Information and Digital Officer (the “CIDO”), who reports directly to the Senior Vice President, Chief Financial Officer, is the member of the Company’s management that is principally responsible for overseeing the Company’s cybersecurity risk management programs, in partnership with business and functional leaders across the Company. The CIDO has 23 years of experience in the information technology and cybersecurity field, including previous roles in security architecture, audit, compliance, and governance.
Under the oversight of the CIDO, members of the Company’s Information Technology and Compliance departments administer the Company's cybersecurity response policies, including assessing cybersecurity incidents as they occur and determining the severity of any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company’s policies. These teams report to an incident response governance team, which is composed of members of the Company’s senior leadership team. These teams monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report incidents to the Audit Committee, as appropriate.
For additional information regarding how cybersecurity threats have affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see Part I, Item 1A, “Risk Factors—General Risk Factors—Interruption, interference with, or failure of our information technology and communications systems could hurt our ability to effectively provide our products and services, which could harm our reputation, financial condition, operating results and cash flows”.
29