Amcor plc - (AMCR)

10-K Filing Date: August 16, 2024
Item 1C. - Cybersecurity

We engage in an annual enterprise-wide risk assessment process which includes an evaluation of cybersecurity risks. We recognize the critical importance of securing the information of the Company’s customers, vendors, and employees and maintaining the security of our systems and data and have developed a comprehensive cybersecurity incident response plan.

Governance

While everyone at the Company plays a part in managing cybersecurity risks, oversight responsibility is shared by the Board of Directors, the Audit Committee, and management. The full Board of Directors receives an annual information technology report and an update from management, which includes an update on our cybersecurity efforts. The Board of Directors has delegated to the Audit Committee the review of the quarterly cybersecurity reports from management, which outline our cybersecurity risk management framework and include updates on our completed, on-going, and planned actions relating to cybersecurity risks.

Our Chief Information Security Officer ("CISO") leads our global Security Operations Center and has over 20 years of experience in cybersecurity, including serving in similar roles at other public companies. Our CISO reports to our Vice President of Information Technology who has 28 years of experience in Manufacturing and Financial Services and has been leading our IT function for 14 years. Our Vice President of Information Technology reports to our Chief Financial Officer. Our employees supporting our information security program have relevant educational and industry experience.

Our Security Operations Center team members have extensive experience in deploying and operating cybersecurity technologies which is enhanced on an ongoing basis through interactions with third party experts we employ to help protect the Company from cybersecurity threats. In addition, we maintain a global cross functional cyber crisis team which is responsible for evaluating cybersecurity threats and overseeing compliance with regulatory security requirements.

Risk Management and Strategy

We have implemented an extensive cybersecurity program that leverages the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. Our cybersecurity program is designed to assess, identify, and manage risks from cybersecurity threats while maintaining the confidentiality and availability of our information systems. We have adopted physical, technological, and administrative controls on data security, and have a defined procedure for data incident detection, containment, response, and remediation. We perform periodic assessments to identify and assess cybersecurity risks, including through the utilization of third parties to assess our system vulnerabilities. We also regularly train employees on cybersecurity risks, including through monthly phishing simulations.

We perform cybersecurity risk assessments of the third-party vendors we utilize and have processes to identify cybersecurity risks posed by using third-party systems. We also request our third-party vendors to promptly notify us of any actual or suspected breach that could impact our data or operations.

Our global footprint exposes us to numerous and evolving cybersecurity risks that could have an adverse effect on our business, financial condition, and results of operations. To date, we have not experienced any significant impacts from cybersecurity threats. However, our safeguards may not always be able to prevent a cyber-attack from impacting our systems or successfully execute our business recovery protocol, which could have a material impact on our business, financial condition, results of operations, or cash flows. Refer to the risk factor captioned “Cybersecurity Risk – The disruption of our operations or risk of loss of our sensitive business information could negatively impact our financial condition and results of operations” in "Item 1A. - Risk Factors" of this Annual Report on Form 10-K for additional narrative on our cybersecurity risks and the potential related impacts to us.