UNITED STATES STEEL CORP - (X)
10-K Filing Date: February 02, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
U. S. Steel maintains robust processes for assessing, identifying and managing material risks from cybersecurity threats. U. S. Steel’s cybersecurity program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, and the risk of cybersecurity threats is integrated into the Company’s Enterprise Risk Management (“ERM”) program, led by the Chief Risk Officer. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned risk owners to establish action plans and implement risk mitigation strategies. The cybersecurity threat risk action plan is managed at the enterprise level by the Senior Vice President – Global Information Technology and President, USSE (the “CIO”) and the Chief Information Security Officer (the “CISO”). Each quarter, the risk owners review and update the cybersecurity threat risk action plan to provide the status on specific risk mitigation actions and to identify new threats. U. S. Steel works closely with its internal and external auditors to assess, plan for, prevent and mitigate cybersecurity risks.
The Company maintains a Cybersecurity Incident Response Plan (CSIRP), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of U. S. Steel’s assets. The CSIRP outlines roles and responsibilities, criteria for measuring the severity of a cybersecurity incident, and an escalation framework. The CSIRP also addresses senior management responsibility with respect to disclosure determinations related to a cybersecurity incident and provides for Audit Committee and Board briefings as appropriate. Along with the CSIRP, management sustains numerous programs and processes to stay informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The list of cybersecurity programs and processes described below is not meant to be exhaustive, but to provide examples of such programs and processes.
The Company engages with third party cybersecurity specialists to provide an independent assessment of U. S. Steel’s cybersecurity programs and to prepare a 5-year plan to maintain compliance and operational excellence. Management periodically reviews the 5-year plan and modifies it in response to changes in the threat landscape and otherwise as needed. Management employs in-depth defense mechanisms throughout the enterprise, including, but not limited to, employee training, vulnerability management, multi-factor authentication, cybersecurity insurance and table top exercises to mitigate and/or prevent cybersecurity incidents. Management also assesses the cybersecurity proficiency of potential third party cloud suppliers before
34
utilizing their services. The assessment identifies cybersecurity-related risks and makes recommendations to enhance the security of new cloud computing services. The Company reassesses cloud suppliers on a regular interval.
A cybersecurity incident may be detected in a number of ways, including, but not limited to, through automated reporting mechanisms, network and system indicators, intrusion detection systems, internal investigations, employee reports, law enforcement reports, or other third party notification. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, the Company maintains a security operations center with round-the-clock monitoring, and the CIO receives regular reports on industry activity.
Upon receiving notification of a cybersecurity incident, the cybersecurity operations team acts to isolate and contain the threat. The CISO, along with the Chief Safety & Security Officer, will consult and determine the incident severity level, which determines whether the incident should be escalated. Critical and high severity incidents must be reported to the General Counsel. The Company may engage third party experts for assistance with crisis management, including forensic investigations, ransom negotiation, or crisis communication. During this process, the cybersecurity operations team will take steps to preserve evidence as soon as possible, including, but not limited to, memory dumps, log preservation and forensic hard drive collection. In addition, the General Counsel, in consultation with the CISO and others as necessary and appropriate, will promptly evaluate whether the incident requires legal notifications or disclosure, including whether the incident requires disclosure under the U. S. securities laws.
Following a cybersecurity incident, the General Counsel will direct the development of documentation regarding lessons learned in the response, including evaluation of preparedness capability, to continuously strengthen the cybersecurity posture of the Corporation.
Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect U. S. Steel, including its business strategy, results of operations or financial condition. See “Item 1A. Risk Factors, A failure of our information technology infrastructure and cybersecurity threats may adversely affect our business operations.” above for more information. While we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks and data or those of our third party providers.
Governance
The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact U. S. Steel. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Management, including the CIO and CISO, reports on cybersecurity matters regularly to the Board, primarily through the Audit Committee, including an annual report regarding specific risks and mitigation efforts within U. S. Steel and a 5-year cybersecurity threat assessment conducted by third party experts. Management provides benchmarking information and updates on key operational and compliance metrics to the Board. In addition, cybersecurity training is provided to the full Board of Directors, including training by third party experts, to educate directors on the current cybersecurity threat environment and measures companies can take to mitigate risk and impact of cyberattacks.
As described above, management is actively involved in assessing and managing U. S. Steel’s material cybersecurity risks. The CIO and the CISO primarily lead these efforts. The CIO is responsible for the oversight of U. S. Steel’s entire global IT operation, including the cybersecurity program, and holds a Bachelor of Science in electrical engineering technology from Purdue University and a Master of Business Administration from Wayne State University. The CISO reports directly to the CIO and has responsibility for leadership of U. S. Steel’s global cybersecurity program. She holds a bachelor’s degree in Information Systems Management, a master’s degree in Internet Information Systems, and a doctorate in Instructional Management and Leadership. The CISO also completed the Chief Information Security Officer Certificate program at Carnegie Mellon University, where she now serves as a coach for the program, and holds a Certified Information Systems Security Professional (CISSP) certification. She is an active member of the Greater Pittsburgh CISO Group and the Steel City OTSEC Information Sharing Group, and serves on the Editorial Review Board for two peer-reviewed journals (International Journal of Cyber Research and International Journal of Information and Communication Technology Education).