Philip Morris International Inc. - (PM)

10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity.

PMI relies heavily on the availability, reliability, and security of our information systems, networks, data, and intellectual property to, among other things, help manage our business processes and operations, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers and customers, and business partners. We have a cross-functional cybersecurity risk program developed using standard industry practices, which monitors and manages cybersecurity threats to our business and information systems. We invest in administrative, technical, and physical safeguards, including continuity planning, to enhance resilience on our core processes, to maintain information security protections of our data and to safeguard the privacy of consumers, customers, employees and business partners.

Risk Management and Strategy

Our cybersecurity risk program, managed by our Chief Information Security Officer (“CISO”) and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats, as follows:

Cybersecurity Threat Scenarios. Our cybersecurity risk assessment process consists of identifying and compiling a catalogue of top cybersecurity threat scenarios relevant to PMI, which facilitates risk assessments with our IT and business stakeholders.

Cybersecurity Maturity Assessment. Our risk exposure from relevant cybersecurity threat scenarios is mitigated by evaluating existing cybersecurity capabilities and corresponding maturity to identify and address areas for improvement.

Cybersecurity Threat Assessment. To establish PMI’s current and target cybersecurity risk exposure, residual risk exposure from the most relevant cybersecurity threat scenarios across IT platforms and regions is evaluated and measured based upon the cybersecurity maturity assessments.

Cybersecurity Risk Program. PMI has a cybersecurity risk program to enhance its ability to identify, prevent, mitigate, respond and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. Improvements in our cybersecurity defense capabilities are prioritized based upon the results of cybersecurity threat assessments and cybersecurity maturity assessments. Identified issues from these assessments form the improvement initiatives under our cybersecurity risk program. As discussed in more detail below under “Governance,” the program’s key improvement initiatives, their implementation status, and the overall progression in our cybersecurity capability maturity are regularly presented to the applicable governing body within PMI. In addition, our cybersecurity risk program operates in coordination with the following:

Cyber Defense. Our dedicated cyber defense team provides services to identify, help prevent, detect and respond against cybersecurity threats and intrusions and collaborates with internal and external stakeholders to help protect PMI’s information, mitigate operational disruptions and maintain business continuity. The cyber defense team’s controls and procedures identify and enable escalation of cybersecurity incidents to the applicable governing body within PMI, as appropriate, to meet disclosure and reporting requirements for such incidents.
19



Third-Party Cyber Risk Management. Some of our information systems and networks are developed, supplied, or managed by third-party service providers. Our third-party cyber risk management process analyzes and seeks to control risks associated with outsourcing products or services, such as “supply chain” style cyberattacks, and identifies preventative and detective controls to mitigate third-party vendor and service provider cybersecurity risks that could adversely impact our business and operations.

Education and Awareness. PMI regularly provides its workforce with mandatory cybersecurity awareness education and training addressing information security related tasks in line with our evolving information security policies, standards, procedures, and practice as well as supplemental role-based training and awareness programs.

We engage external assessors and other third parties to independently evaluate our cybersecurity risk management process, including the relevance to PMI of identified cybersecurity scenarios and the results of cybersecurity maturity assessments. The outcome of such evaluations, audits or reviews are reported to the Corporate Risk Governance Committee and to the Audit & Risk Committee, and our cybersecurity policies, standards and processes are adjusted, as necessary.

PMI follows a risk evaluation process for issues identified through internal audits, security assessments, third-party cybersecurity risk assessments, or self-assessment disclosures, and resulting information technology risks are recorded for risk remediation, transfer, avoidance, or acceptance as appropriate. Some of our information systems are managed by specialist third-party service providers, and we work with internal specialists to protect systems and data from unauthorized access and other cybersecurity threats.

Governance

The Audit and Risk Committee of our Board of Directors oversees our policies and practices with respect to risk assessment and risk management, including a review, in coordination with our management, of PMI’s management of cybersecurity. Our CISO presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans.

The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), General Counsel (“GC”), Senior Vice President Operations, and our Chief Digital & Information Officer (“CDIO”).

Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant communications or presentations. The Disclosure Committee’s membership includes the following executives: the Corporate Secretary; the GC; the CFO; the Controller & Principal Accounting Officer; the Chief Risk Assurance Officer; and the Vice President, Investor Relations. In addition, the CISO serves as an advisor to the Disclosure Committee.

The CISO has served in various roles in information technology and information security for over 25 years, including in the telecommunications and management consultancy sectors and serving as the Chief Information Security Officer of two large public companies. The CDIO holds an engineering degree and has served in various senior positions in information technology for over 20 years, including serving as Senior Vice President, IT Sales, and Global Chief Information Officer at a public company. The CEO has served in various positions in finance and general management at PMI for over 30 years, including as Chief Financial Officer and Chief Operating Officer, and holds a master’s degree in economics. The CFO has over 15 years of experience in finance and management, having held several executive positions in charge of finance, legal affairs information systems and industry administration at various companies. The GC has served at PMI for 18 years in several positions within the Legal & Compliance department, including as Vice President and Associate General Counsel of various regions, and holds two master’s degrees having studied law, management and finance.

As of the date of this Annual Report on Form 10-K, PMI is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect PMI, its business strategy, results of operations or financial condition. For additional information concerning PMI’s risks related to cybersecurity, see Item 1.A. Risk Factors.

20