CORNING INC /NY - (GLW)

10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity

 

Cybersecurity Risk Management

 

We developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical information technology (“IT”) systems and information.

 

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, incident reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. We designed and continue to assess our cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), which we use as a guide to help us identify, prioritize and manage the cybersecurity risks that could materially affect our business, financial condition or results of operations.

 

Our cybersecurity risk management program includes a cybersecurity incident response plan (“CIRP”). Corning’s CIRP provides the Company with the capability for responding, reporting and remediating cybersecurity incidents. It has been established to reduce or minimize the impact of cybersecurity incidents on the Company’s networks, IT systems, users or business processes. Corning’s Cyber Security Incident Response Team, led by the Chief Information Security Officer (“CISO”), handles the response process for all cybersecurity incidents and Corning’s Corporate Crisis Response Team (“CCRT”) is mobilized and involved in any significant incidents.

 

Our cybersecurity risk management program also includes:

a continuous vulnerability management process to monitor and identify threats in our environment, including our IT networks and legacy systems, that could potentially have a materially adverse impact on our critical systems, information and broader enterprise IT environment;

the use of reputable cybersecurity consultants and other third-party experts to enhance our cybersecurity posture, assist us in evaluating risks, conduct security assessments and provide guidance so the Company can maintain a posture of continual enhancement of our cybersecurity management and strategy;
cybersecurity awareness training for our employees, incident response personnel and senior management; and
a risk management process for critical third-party service providers, suppliers and vendors that includes due diligence in selection and periodic monitoring to ensure that they adhere to applicable cybersecurity standards.

 

Cybersecurity Governance

 

Corning’s Board of Directors (“Board”) plays a role in overseeing risks associated with cybersecurity threats. In particular, the IT Committee of the Board is responsible for cybersecurity governance and has information security oversight as a key component of its charter. In all meetings, the IT Committee reviews the Company’s cybersecurity posture as well as significant cybersecurity events. Corning’s Chief Digital and Information Officer (“CDIO”), in combination with Corning’s CISO, briefs the IT Committee on cybersecurity activities and long-term cybersecurity strategies, as well as general cybersecurity trends that could have a material impact on the Company. On an annual basis, the CISO provides a cybersecurity update to the Board and participates in a joint meeting of the IT and Audit Committees to review significant cybersecurity risks and their impact, if any, on internal controls. At any time, Board members may raise concerns regarding the Company’s cybersecurity posture and recommend future changes to controls or procedures. Should a cybersecurity incident rise to the level of a corporate crisis, consistent with the Company’s CCRT escalation protocols, the Board would be engaged.

 

Our CDIO and our CISO lead our management team in assessing and managing our response to cybersecurity threats and incidents. Our CDIO and CISO together have over 50 years of combined experience in information technology, digital and systems transformation, cybersecurity and related risk management and governance. This team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants, and works with all divisional, manufacturing and functional teams within Corning on cybersecurity issues. The team’s efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents are enhanced by briefings from internal security personnel, by receipt of threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, periodic assessments against the NIST CSF and through alerts and reports produced by security tools deployed in our IT environment.

 

20

 

While Corning has had to address various cybersecurity threats in the ordinary course of its business, we have not identified risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, that have or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.