HEXCEL CORP /DE/ 10-K Cybersecurity GRC - 2024-02-07

Page last updated on July 16, 2024

HEXCEL CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-07 16:31:01 EST.

Filings

10-K filed on 2024-02-07

HEXCEL CORP /DE/ filed a 10-K at 2024-02-07 16:31:01 EST
Accession Number: 0000950170-24-012245

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity At Hexcel, we are committed to the security of our products and services, the protection of employee, customer and Company data, and the safeguarding of our manufacturing capability. Our cybersecurity program is led by our Chief Information Officer (“CIO”), who has over 20 years of experience in information technology leadership and 10 years of experience directly overseeing our information security program and holds a Master of Business Administration in technology management. As a part of our cybersecurity program, we have engaged, and in the future may continue to engage, third-party consultants and advisors, including a third-party consultant with extensive experience designing, leading, and maintaining the implementation and assurance frameworks for organizational information, to provide virtual chief information security officer services, including establishing a security architecture, policies, practices, and response capabilities. Our CIO regularly updates senior management on our cybersecurity risk governance and management and the status of ongoing efforts to strengthen cybersecurity effectiveness. Our board of directors views cybersecurity as a strategic priority and therefore maintains oversight of management’s actions in implementing our overall cybersecurity program, with our CIO regularly reporting directly to our board of directors. The audit committee of the board of directors also periodically reviews the cybersecurity program as part of its oversight of the Company’s internal audit function and insurance program. As part of our cybersecurity program, we maintain various protections designed to safeguard against cyberattacks, including firewalls, anti-malware, intrusion prevention and detection systems, access controls and other encryption configurations and cybertechnologies, and continuously monitor and audit our information technology and data assets to detect any anomalies and to respond quickly to threats that may arise. We periodically conduct intrusion and penetration testing through third parties to evaluate our cybersecurity response capability. We also regularly conduct employee awareness training on email management (phishing), safe internet browsing, malware, and other cybersecurity risks and routinely communicate with employees about the potential for cybersecurity threats, including the latest adversary trends and social engineering techniques, and how to avoid them through our established communications channels. We have adopted and implemented an approach to identify and mitigate cybersecurity risks within our overall enterprise risk management program that is based on a recognized framework established by the National Institute of Standards and Technology. The board of directors is responsible for overseeing management’s enterprise risk management program, and receives regular reports on cybersecurity risk identification, monitoring and mitigation from our Chief Financial Officer as part of its review of that program, in addition to the regular reports received from the CIO as part of the board’s overall cybersecurity program review. As part of our cybersecurity risk management, we have established controls and procedures to guide the Company through an active threat or incident to the recovery of normal business, following industry-standard data protection standards. The controls and procedures provide for the identification, notification, escalation, communication, and remediation of cybersecurity incidents to management, including where appropriate the board of directors, so that decisions regarding the public disclosure and reporting of such incidents can be made in a timely manner. We maintain an Executive Cyber Response Team composed of senior leaders across various functions, including our CIO, General Counsel and Chief Accounting Officer. The Executive Cyber Response Team is trained and experienced in managing cybersecurity incidents and meets regularly to practice and refine our processes for incident response, management and escalation through tabletop exercises simulating cyberattacks administered by a legal advisor with extensive experience in cyber investigations, cyber threats and cyber-enabled frauds. The results of such exercises are then reported to management and our board of directors. The third-party legal advisor also assesses and advises on our overall cybersecurity program, reports to our board of directors on a periodic basis and is engaged to provide support in the event an attack or other intrusion were to be successful. 22 The Company maintains disaster recovery plans for key applications and site-specific incident response plans, as well as a cybersecurity and related insurance policies as a measure of added protection. As of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. 23

Company Information