CUMMINS INC - (CMI)
10-K Filing Date: February 12, 2024
ITEM 1C. Cybersecurity
Material Cybersecurity Risks, Threats and Incidents
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A "Risk Factors" under the heading "General," which should be read in conjunction with the foregoing information.
Cybersecurity Governance
We are committed to protecting our Information Technology (IT) assets and the data stored within these assets. This commitment includes the protection of IT assets relevant to our operations, stakeholder data (including employee, customer and supplier data), intellectual property and our products.
The Cummins Enterprise Cybersecurity function, which is responsible for the administration of our enterprise cybersecurity program, is led by the Chief Information Security Officer, who has more than 25 years of information technology, IT architecture and operations experience in the industrial manufacturing industry. The Chief Information Security Officer reports to our Chief Information Officer. These leaders provide regular updates to the Audit Committee of the Board on cybersecurity risks. Through these updates, the Audit Committee receives a cybersecurity dashboard illustrating the status of key cybersecurity activities such as email phishing, event logging and data encryption. Information regarding relevant cybersecurity training is provided as well.
The Product Cybersecurity function, which is responsible for the administration of our product cybersecurity program, is led by the Executive Director – Corporate Product Cybersecurity and Functional Safety, who has more than 35 years of automotive industry and electronic controls design experience. The Executive Director – Corporate Product Cybersecurity and Functional Safety reports to our Chief Technical Officer. These leaders provide regular updates to the SET Committee of the Board on product related cybersecurity risks. Through these updates, the SET Committee receives a report discussing product level vulnerability management, product level incident management and the status of relevant product cybersecurity activities.
Our processes for oversight of cybersecurity risks are integrated into our Enterprise Risk Management (ERM) program, which is led by the Executive Director, Global Risk. To govern the ERM program, we established an Executive Risk Council that meets regularly to review and monitor our most significant enterprise risks, including the prevention, detection and mitigation plans, including with respect to cybersecurity. The Executive Risk Council is comprised of senior leaders with cross-functional experience and responsibilities.
Our Board and its committees are engaged in the oversight of our most significant enterprise risks, including cybersecurity risks. We assign a member of our executive management team to report material information to our Board regarding these risks. The Audit Committee, working with the Chief Information Officer, provides oversight of the enterprise cybersecurity program. The SET Committee, working with the Chief Technical Officer, provides oversight of the product cybersecurity program.
Our Board, Audit Committee and SET Committee receive reports and information from our senior leaders who have functional responsibility for the mitigation of enterprise cybersecurity and product cybersecurity risks. These leaders meet with the committees on a regular basis, at least four times per year, and provide dashboards or reports, which summarize cybersecurity risks and action plans.
Cybersecurity Risk Management and Strategy
We have an Enterprise Cybersecurity Management Review Group (Enterprise Cybersecurity MRG), which functions as a steering committee to provide oversight and strategic direction for the enterprise cybersecurity program. The Enterprise Cybersecurity MRG is comprised of senior leaders with cross-functional experience and responsibilities. This MRG meets regularly, at least four times per year, with our Chief Information Security Officer to review the cybersecurity program and related risks. The MRG receives updates on the status of key cybersecurity initiatives and is responsible for our response to material cybersecurity incidents.
We have a Product Cybersecurity Management Review Group (Product Cybersecurity MRG), which functions as a steering committee to provide oversight and strategic direction for the product cybersecurity program. The Product Cybersecurity MRG is comprised of senior leaders with cross-functional experience and responsibilities. The Product Cybersecurity MRG meets regularly with the Executive Director – Corporate Product Cybersecurity and Functional Safety to review the cybersecurity program, including risks and the status of key initiatives.
Both the Enterprise and Product Cybersecurity functions administer policies related to cybersecurity in consultation with other stakeholders at the company. We have a third-party risk management process, which is designed to assess and manage cybersecurity risks posed by third parties. This process is administered by the Enterprise Cybersecurity function.
27
In addition, a cybersecurity operations team is in place, which monitors the environment for cybersecurity incidents on a regular basis. We have incident response plans to assess and manage cybersecurity incidents. These plans include escalation procedures based on the nature and severity of the incident. The most critical incidents, which could be material to us, are escalated to executive management and the Enterprise Cybersecurity MRG. The Enterprise Cybersecurity MRG practices the incident response process through a tabletop exercise facilitated by external consultants. In addition, cyber insurance is in place, which may mitigate the impact of cybersecurity incidents.
We engage outside experts where appropriate to aid in developing and implementing the cybersecurity program and to review its operations. Our Internal Audit function also performs regular assessments of the design and operational effectiveness of the program’s key processes and controls. We will continue to enhance our cybersecurity operations to respond to the dynamic cybersecurity landscape.
28