Garrett Motion Inc. - (GTX)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company's cybersecurity objective is to protect Garrett against data privacy breaches, information theft, and external and insider cyber threats through the use of a combination of leading technologies, policies, and procedures. The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management ("ERM") process and have been embedded in the Company’s operating
28

procedures, internal controls and information systems. To that end, we take a holistic approach to securing our data and business systems from attack, compromise or loss.
The Company has cybersecurity capability including a Security Operations Center ("SOC") that is managed by a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading the Company-wide cybersecurity strategy, policy, standards, architecture, and processes. The SOC provides visibility across all information technology assets and includes proactive cyber security threat detection technology to facilitate the identification of misconfigurations to mitigate threats and prevent data loss. As part of the Company’s holistic approach to cybersecurity, we have implemented programs and technology associated with threat hunting, vulnerability scanning, and threat detection and response technology.
As part of its cybersecurity risk management, the Company delivers specific education to the organization on how to identify potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all employees globally on a regular basis and may be supplemented by various testing initiatives including periodic phishing tests.
The Company leverages third-party expertise for periodic effectiveness testing of its prevention, detection, and response capabilities. The Company also requires all third-party service providers to meet certain cybersecurity requirements, including risk assessment and monitoring activities. In addition, third-party service providers with access to the Company's network are also required to undertake cybersecurity training.
While Garrett focuses heavily on prevention and detection, response and recovery plans, service agreements and partner engagements are in place should there be a need for us to respond to a cybersecurity attack. The Company's response process includes identifying the incident; notifying the executive team, activating the crisis team, assessing the business risk and materiality of the incident; managing the recovery of operations; and performing a post-incident analysis. The Company maintains business continuity and disaster recovery plans. The Company also engages in cyber crisis response simulation to assess our incident response ability and effectiveness.
No cybersecurity incidents have occurred that materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition during the year ended December 31, 2023. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. See Item 1A. "Risk Factors" for a discussion of cybersecurity risks.
Governance
Role of Management
The Company has a Cyber Risk Governance Council consisting of the Senior Vice President Chief Digital and Information Officer (“CDIO”), the CISO, the IT leadership team, and the legal and cybersecurity teams that focuses on cybersecurity and compliance risks. The Cyber Risk Governance Council meets monthly to review cybersecurity risks and related risk management methodologies. Cybersecurity risks are included in the Company’s ERM as appropriate based on potential impact and vulnerability assessed according to certain set criteria and defined ERM materiality thresholds. Regular discussions over cybersecurity developments and risk mitigation approaches are held by the Cyber Risk Governance Council with the Chief Executive Officer and the senior leadership team.
Role of the Board
The Board of Directors is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk. The Board has delegated responsibility for oversight of the Company's cybersecurity framework and risk management to the Audit Committee.
The CDIO and CISO provide reports to the Audit Committee at least semi-annually on the Company’s cybersecurity program including the external threat environment, the Company’s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment, and the results of evaluation of the Company’s cybersecurity program by external experts. The Audit Committee, as well as the Board of Directors, is also promptly informed about any information security incidents that may pose significant risk to the Company.
29