GOODYEAR TIRE & RUBBER CO /OH/ - (GT)
10-K Filing Date: February 13, 2024
Management is responsible for identifying, monitoring and mitigating the material risks facing the Company, including cybersecurity risks. The Board of Directors oversees management’s processes related to those risks. The Audit Committee of the Board of Directors is responsible for overseeing the risks associated with information technology and cybersecurity threats, and reports on its activities to the full Board following each committee meeting.
The Audit Committee exercises its risk oversight function by carefully evaluating information and cybersecurity reports they receive from management; assessing the priorities and roadmap of the cybersecurity program; and making inquiries of management with respect to areas of particular interest to the Board. Senior leadership, including our chief information officer (“CIO”) and our chief information security officer, periodically briefs the Audit Committee on our cybersecurity and information security programs and reviews cybersecurity incidents.
Our global information technology organization, led by our CIO, is responsible for our overall information security strategy, policies, operations and threat detection and response. Our current CIO has more than two decades of experience in positions of increasing authority at the Company. The global information technology organization manages and maintains the cybersecurity program with the goal of preventing, detecting and remediating incidents, and works to increase our system resilience to minimize the business impact should an incident occur. Our cybersecurity program is informed by the National Institute of Standards and Technology Cyber Security Framework (NIST-CSF). Consistent with that framework, our cybersecurity program addresses the need to identify, protect, detect, respond and recover from cyber risks. The process includes notification of potentially significant incidents to the Cybersecurity Disclosure Committee and the Audit Committee
21
of the Board, as appropriate. Our Cybersecurity Disclosure Committee is comprised of senior leadership across multiple functional areas and is responsible for reviewing and evaluating potentially significant cybersecurity incidents and for determining whether any notification or disclosure is required under applicable laws.
Third parties are also incorporated into our approach to cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, cybersecurity maturity assessments or consulting on best practices to address current and new challenges. These evaluations include testing both the design and operational effectiveness of security controls.
We recognize a cybersecurity incident experienced by a supplier or joint venture partner could materially impact us. We assess third party cybersecurity controls as part of our third party IT risk due diligence and engage in cybersecurity consultant-led solution design reviews when integrating new tools or third parties. We contractually require third parties to report cybersecurity incidents to us so we can assess the impact of the incident and any necessary regulatory reporting obligations that may be required.
Notwithstanding our risk management efforts related to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material or other adverse effect on us. See Item 1A. “Risk Factors” for a discussion of our information technology and cybersecurity risks.
22