BORGWARNER INC - (BWA)
10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity
BorgWarner’s Board of Directors acknowledges the importance of upholding the trust and confidence of its customers, business partners, employees and other stakeholders. The Board, in conjunction with the Audit Committee, is involved in the oversight of the Company’s risk management program, including its Cybersecurity Program. The Cybersecurity Program is managed by the Chief Information Officer (“CIO”), whose information technology (“IT”) team is responsible for enterprise-wide information technology, including cybersecurity strategy, policy, standards, architecture and processes. The Cybersecurity Program, including its standards, processes and practices, is benchmarked against recognized cybersecurity frameworks. The Cybersecurity Program continually enhances the enterprise security structure and contingency plans with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing the organization system resilience to minimize the business impact should an incident occur.
Risk Management and Strategy
Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents. The Cybersecurity Program has various tools and programs in place to monitor and address potential threats and incidents impacting the Company’s operations and to determine the materiality of and ensure timely public disclosure of such threat or incident, if appropriate.
Technical Safeguards: The Company deploys technical safeguards designed to protect the Company’s information systems from cybersecurity threats. The Company deploys tools in an effort to detect vulnerabilities, and when a weakness is identified, the Company seeks to assess the significance of the impact and mitigate before the weakness is exploited by an unauthorized actor.
Incident Response and Recovery Plan: The Company has an incident response and recovery plan, which details the steps to be taken from the initial internal reporting of a potential cybersecurity incident.
Third-Party Risk Management: The Company is developing processes and procedures to identify and oversee cybersecurity risks presented by third parties, including service providers, vendors and other users of the Company’s systems.
Education and Awareness: The Company provides regular, mandatory training for applicable personnel on cybersecurity threats to help them identify, avoid and address cybersecurity threats and to communicate the Company’s Cybersecurity Program, including applicable policies, standards, processes and practices.
Governance
The Board and the Audit Committee actively discuss cybersecurity risks with management and among themselves. The CIO reports on the Company’s Cybersecurity Program and the Company’s approach to cybersecurity risk management to the Audit Committee of the Board of Directors two times a year and to the full Board periodically, as appropriate. These reports include updates on the Company’s cybersecurity risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the information security program, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the emerging threat landscape, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
30
The Audit Committee and Board receive prompt and timely information regarding cybersecurity threats and incidents that meet specified thresholds, as well as ongoing updates regarding any such threats or incidents until they have been addressed.
The Cybersecurity Program and related initiatives are managed by the CIO, and the Company’s IT team is responsible for enterprise-wide informational technology, coordinating with various functions and business groups to ensure they are following best practices. The current CIO has over two decades of experience in various roles in information technology and information security. The CIO and the IT team work with the business to implement the Cybersecurity Program, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s Cybersecurity Incident Response Plan. The CIO and the IT team use detection tools to monitor for cybersecurity threats and incidents in real time, apply mitigation and remediation steps and then report such threats to the Audit Committee and the Board, as appropriate.
The Company’s efforts include a wide range of actions, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating and improving the effectiveness of the Company’s cybersecurity measures and planning. The Company engages in periodic assessment and testing of the Cybersecurity Program and may periodically engage a third-party expert to conduct the assessment, audits and testing. The results of such assessments, audits and testing are reported to the CIO and the Audit Committee or full Board, as applicable, and the Company makes adjustments as appropriate.
As of the date of this report, the Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Despite the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company or its stakeholders. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.