EIDP, Inc. - (CTA.PA)
10-K Filing Date: February 08, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy. The company’s risk management programs for cybersecurity are integrated into the company’s enterprise risk management and general compliance programs and processes.
Our cybersecurity program utilizes a layered, defense-in-depth strategy to identify and mitigate cybersecurity threats. The company’s information security team is responsible for the day-to-day management of the company’s global information security program, which includes defining policies and procedures to safeguard our information systems and data, conducting vulnerability, threat and third-party information security assessments, information security event management (i.e., responding to ransomware and other cyber-attacks, business continuity and recovery), evaluating external cyber intelligence, supporting industry cybersecurity efforts and working with governmental agencies. The global information security team also develops training for personnel (e.g., employees and contractors) with access to Corteva’s system to support adherence to the company’s policies and procedures, along with increasing awareness of cyber-related risk. The personnel training includes, but is not limited to, mandatory onboarding training, phishing simulations with automated remediation training, table-top incident response exercises, and educational intranet posting and email campaigns.
Our Enterprise Risk Management Committee, which includes the company’s Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), independently assesses and monitors the effectiveness of the company’s cybersecurity risk management programs and strategies. The company’s internal audit function also performs independent reviews and validation of the various programs, including policies and procedures as determined by their annual risk assessment.
The company leverages the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“Framework”) as the foundation of its global information security program. The NIST Framework provides standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk and is designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. The company’s information security team works with independent, third-party consultants annually to assess the maturity of the company’s cybersecurity program within the NIST Framework and to develop strategic areas of focus for the company’s programs commensurate with the company’s business objectives.
As part of the company’s global information security program, we leverage both internal and external assessments and partnerships with industry leaders to help approach information security company-wide. Additionally, the company maintains a comprehensive program that defines standards for the planning, sourcing, management, and oversight of third-party relationships and third-party access to its system, facilities, and/or confidential or proprietary data.
Cybersecurity incidents may create risk to the company that may impact its reputation, financial performance, ability to operate safely or at all, and the value of its intellectual property. Like most major corporations, the company is the target of industrial espionage, including cyberattacks, from time to time. The company has determined that these incidents have resulted, and could result in the future, in unauthorized parties gaining access to certain confidential business information. However, to date, Corteva has not experienced any known cybersecurity incidents that have materially affected the company, including the company's results of operations and financial condition, changes in the competitive environment, business operations and strategy. Although management does not believe that Corteva has experienced any material losses to date related to cybersecurity incidents, there can be no assurance that Corteva will not suffer such losses in the future. For more information on potential risk related to cybersecurity incidents, including intellectual property theft and operational disruption, please see “Item 1A – Risk Factors” of this report.
Governance. The company’s Audit Committee and Governance and Compliance Committee provide board oversight of company cybersecurity risks. The Audit Committee conducts a minimum of two cybersecurity program updates per year, including a review of capital spend, budget, and staffing, as well as quarterly reports on cybersecurity threats and key risk indicators related to the company’s progress on risk mitigation activities. The Governance and Compliance Committee, as part of its oversight for the enterprise risk management program company-wide, reviews and ensures that the company’s oversight
24
Part I
and governance structure related to company risks, including cybersecurity risks, remains appropriate and that risks are appropriately managed.
The company’s CIO oversees the company’s information technology programs and investments. The company’s CISO reports to the CIO and oversees the company’s information security programs. The company’s CIO has over 30 years of information technology experience, including nine years in various information technology leadership roles. Our CIO holds a bachelor of science and master of science degrees in organizational communications as well as an M.B.A. in information technology. The company’s CISO has over thirty years of experience in information security and is a Certified Information Security Manager® (CISM®), a Certified Data Privacy Solutions Engineer™ (CDPSE®), as well as being Certified in Risk and Information Systems Control® (CRISC®). Our CISO holds a bachelor of science degree in electric engineering as well as an M.B.A. in operations, technology.
Both the CIO and CISO regularly report to the Audit Committee, Board and Governance and Compliance Committee, on the company’s identification, prevention, detection, mitigation and remediation of cybersecurity risks and incidents. In 2023, the Board reviewed the company’s cybersecurity program and maturity assessment, while the Audit Committee provided regular oversight of cybersecurity risks, with cybersecurity discussions and dashboard reviews of key performance indicators and risks at five committee meetings during the course of the year. With respect to specific incidents, the company leverages an incident response framework to elevate and evaluate specific incidents to the CIO and CISO, along with the company’s senior leadership, including the finance and legal functions. In the event of a potentially material cybersecurity incident, the Audit Committee would be immediately notified and briefed.