FORD MOTOR CO - (F)
10-K Filing Date: February 07, 2024
ITEM 1C. Cybersecurity.
While no organization can eliminate cybersecurity risk entirely, we devote significant resources to our security program that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. Our efforts focus on protecting and enhancing the security of our information systems, software, networks, and other assets. These efforts are designed to protect against, and mitigate the effects of, among other things, cybersecurity incidents where unauthorized parties attempt to access confidential, sensitive, or personal information; potentially hold such information for ransom; destroy data; disrupt or degrade service or our operations; sabotage systems; or otherwise cause harm to the Company, our customers, suppliers, or dealers, or other key stakeholders. We employ capabilities, processes, and other security measures we believe are designed to reduce and mitigate these risks, and have requirements for our suppliers to do the same. Despite having thorough due diligence, onboarding, and cybersecurity assessment processes in place for our suppliers, the responsibility ultimately rests with our suppliers to establish and uphold their respective cybersecurity programs. Our ability to monitor the cybersecurity practices of our suppliers is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks, and other assets owned or controlled by our suppliers. When we become aware that a supplier’s cybersecurity has been compromised, we attempt to mitigate the risk to the Company, including, if appropriate and feasible, by terminating the supplier’s connection to our information systems. Notwithstanding our efforts to mitigate any such risk, there can be no assurance that the compromise or failure of supplier information systems, technology assets, or cybersecurity programs would not have an adverse effect on the security of the Company’s information systems.
In an effort to effectively prevent, detect, and respond to cybersecurity threats, we employ a multi-layered cybersecurity risk management program supervised by our Chief Information Security Officer, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, architecture, and processes. This responsibility includes identifying, considering, and assessing potentially material cybersecurity incidents on an ongoing basis, establishing processes designed to prevent and monitor potential cybersecurity risks, implementing mitigation and remedial measures, and maintaining our cybersecurity program. To do so, our program leverages both internal and external techniques and expertise. Internally, among other things, we perform penetration tests, internal tests/code reviews, and simulations using cybersecurity professionals (often referred to as “white hat hackers” or a “Red Team”), to assess vulnerabilities in our information systems and evaluate our cyber defense capabilities. We also perform phishing and social engineering simulations with, and provide cybersecurity training for, personnel with Company email and access to Company assets. On a monthly basis, we disseminate security awareness newsletters to employees to highlight emerging or urgent cybersecurity threats and best practices. Externally, we monitor notifications from the U.S. Computer Emergency Readiness Team (“CERT”) and various Information Sharing and Analysis Centers (each an “ISAC”); review customer, media, and third-party cybersecurity reports; and offer bounties to responsible third-parties who notify us of vulnerabilities they are able to detect in our cyber defenses (commonly referred to as a “Bug Bounty”). Our capabilities, processes, and other security measures also include, without limitation:
•Security Information and Event Management (“SIEM”) software, which provides a threat detection, compliance, and security incident management system;
•Endpoint Detection and Response (“EDR”) software, which monitors for malicious activities on external-facing endpoints (e.g., Windows workstations, servers, MAC clients, and Linux endpoints);
•Cloud monitoring, running on primary public and private cloud environments; and
•Disaster recovery and incident response plans, including a ransomware response plan.
We invest in enhancing our cybersecurity capabilities and strengthening our partnerships with appropriate business partners, service partners, and government and law enforcement agencies to understand the range of cybersecurity risks in the operating environment, enhance defenses, and improve resiliency against cybersecurity threats. Additionally, we are a member of the Financial Services and Information Technology ISACs and both a founding member and board member of the Automotive ISAC. Our membership with these industry cybersecurity groups assists in our efforts to protect the Company against both enterprise and in-vehicle security risks.
The Company’s global cybersecurity incident response is overseen by our Chief Information Security Officer. Our Chief Information Security Officer has served in that role for over 6 years and has over a decade of engineering and operations expertise with cybersecurity technologies and services. Our Chief Information Security Officer reports to our Chief Enterprise Technology Officer who has spent over two decades leading digital and technology organizations at both enterprise software companies and Fortune 50 enterprises. Our Chief Enterprise Technology Officer reports directly to the Chief Executive Officer.
31
ITEM 1C. Cybersecurity (Continued)
When a cybersecurity threat or incident is identified, our policy is to review and triage the threat or incident, and to then manage it to conclusion in accordance with our cybersecurity incident response processes. When a cybersecurity incident is determined to be significant, it is addressed by management committees using processes that leverage subject-matter expertise from across the Company. Further, we may engage third-party advisors, from time to time, as part of our incident management processes. All cybersecurity incidents that are identified as reasonably having the potential to be highly significant to the Company are brought to the attention of both the Chief Enterprise Technology Officer and General Counsel by the Chief Information Security Officer as part of our cybersecurity incident response processes.
Cybersecurity risk management is an integral part of our overall enterprise risk management program. As part of its enterprise risk management efforts, the Board meets with senior management, including the executive leadership team, to assess and respond to critical business risks. Critical enterprise risks are assessed by senior management annually and discussed with the Board. Once identified, each of the risks we view as most significant is assigned an executive risk owner who is responsible to oversee risk assessment, develop and implement mitigation plans, and provide regular updates to the Board (and/or Board committee assigned to the risk). Cybersecurity threats have been and continue to be identified as one of the Company’s top risks, with our Chief Enterprise Technology Officer and Chief Information Security Officer assigned as the executive risk owners. The Board has delegated primary responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee.
As part of its oversight responsibilities, the Audit Committee receives regular updates on our cybersecurity practices as well as cybersecurity and information technology risks from our Chief Information Security Officer. These regular updates include topics related to cybersecurity practices, cyber risks, and risk management processes, such as updates to our cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition to these regular updates, as part of our incident response processes, the Chief Enterprise Technology Officer, in collaboration with the Chief Information Security Officer and General Counsel, provides updates on certain cybersecurity incidents to the Audit Committee and, in some cases, the Board. The Audit Committee reviews and provides input into and oversight of our cybersecurity processes, and in the event Ford determines it has experienced a material cybersecurity incident, the Audit Committee is notified about the incident in advance of filing a Current Report on Form 8-K.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. Moreover, we, our suppliers, and our dealers have been the target of cybersecurity incidents and such threats are continuing and evolving, which may cause cybersecurity incidents to be more difficult to detect for periods of time. Our networks and in-vehicle systems, sharing similar architectures, could also be impacted by, or a cybersecurity incident may result from, the negligence or misconduct of insiders or third parties who have access to our networks and systems. A cybersecurity incident could harm our reputation, cause customers to lose trust in our security measures, and/or subject us to regulatory actions or litigation, which may result in fines, penalties, judgments, or injunctions, and a cybersecurity incident involving us or one of our suppliers could impact our business strategy, results of operations, financial condition, or our reputation. For additional information, see “Operational information systems, security systems, vehicles, and services could be affected by cybersecurity incidents, ransomware attacks, and other disruptions and impact Ford and Ford Credit as well as their suppliers and dealers” on page 20.
32