Page last updated on July 16, 2024
Philip Morris International Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 07:10:55 EST.
Filings
10-K filed on 2024-02-08
Philip Morris International Inc. filed a 10-K at 2024-02-08 07:10:55 EST
Accession Number: 0001413329-24-000013
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity for a description of our cybersecurity risk management and strategy and governance. Our or our business partners’ failure or inability to adhere to privacy, data, artificial intelligence and information security laws could result in business disruption, loss of reputation and consumer trust, litigation, regulatory action including significant fines or penalties, financial impact, and loss of revenue, assets or personal, confidential, or sensitive data. An actual or alleged failure to comply with complex and changing privacy, data, artificial intelligence and information security laws and regulations under the EU General Data Protection Regulation, various U.S. state and federal laws, and other similar privacy and information security laws across the jurisdictions in which PMI operates, such as the failure to protect personal data; implement appropriate technological and reasonable security measures; implement and maintain appropriate safeguards for personal data being transferred internationally; respect the privacy rights of data subjects; provide sufficient detailed notices of personal data processing; retrieve consent and provide opt-outs; meet stringent timeframe requirements for incident reporting to regulatory authorities; comply with artificial intelligence regulations; and others, could have a material adverse effect on us, subject us to substantial fines and/or legal challenges, and/or harm our business, reputation, financial condition, or operating results. Such laws and regulations across the jurisdictions in which PMI operates may vary, resulting in inconsistent or conflicting legal obligations. Risks Related to Swedish Match and Vectura Fertin Pharma We may be unable to fully realize the expected benefits from the acquisitions of Swedish Match or Vectura Fertin Pharma. Since 2021, we have acquired Swedish Match, OtiTopic, Fertin Pharma and Vectura (collectively, the “Acquisitions”), and subsequently launched Vectura Fertin Pharma, our new Wellness and Healthcare business, consolidating OtiTopic, Fertin Pharma and Vectura. The anticipated benefits of the Acquisitions may not be realized fully, or at all, or may take longer to realize than expected. Furthermore, the success of the Acquisitions also depends on the continued successful commercialization and growth of Swedish Match’s products in highly competitive markets and on the success of the research and development efforts of Vectura Fertin Pharma, including the ability to obtain regulatory approval for new products, and the ability to commercialize or license these new products developed by them. Moreover, our combustible product portfolio may stand in the way of introducing and growing new Wellness and Healthcare product categories and may prevent our business from developing a long-term sustainable ecosystem of products in the wellness, therapeutic, and healthcare categories. Swedish Match and Vectura Fertin Pharma may have liabilities that are not known to us. The businesses that we have acquired may have liabilities that we were unable to identify, or were unable to discover, in the course of performing our due diligence investigations during the Acquisitions thereof. There is no assurance that the indemnification available to us under the respective acquisition agreements, will be sufficient in amount, scope or duration to fully offset the possible liabilities associated with the respective business or property that we assumed upon consummation of each Acquisition. Furthermore, the acquisition of Swedish Match was structured as a direct purchase of shares from Swedish Match shareholders and therefore did not include an acquisition agreement or indemnification rights. Any such liabilities, individually or in the aggregate, could have a material adverse effect on our business, financial condition and results of operations. Accounting adjustments related to the Acquisitions could adversely affect our financial results. We accounted for the completion of the Acquisitions using the acquisition method of accounting. Given the nature of the assets acquired in the Acquisitions, we may not be able to avoid future impairments of those assets, which may also have a material impact on our future results of operation and financial position. 18 PMI, Swedish Match and Vectura Fertin Pharma may be subject to uncertainties that could adversely affect our respective businesses, and adversely affect the financial results of our combined businesses. Our success following these Acquisitions depends in part upon our ability and the ability of each of Swedish Match and Vectura Fertin Pharma to maintain business relationships. The effect of the Acquisitions on customers, suppliers, employees and other constituencies of each of Swedish Match, Fertin Pharma and Vectura, may have a material adverse effect on us and/or the businesses that we have acquired through the Acquisitions. Customers, suppliers and others who do business with Swedish Match or Vectura Fertin Pharma may delay or defer business decisions, decide to terminate, modify or renegotiate their relationships, or take other actions, which could negatively affect the revenues, earnings and cash flows of our company or the businesses that we have acquired. Regulatory changes may have an impact on the development and/or commercialization of products which originate from the Swedish Match or Vectura Fertin Pharma value chains, as well as our revenues, earnings and cash flow. If we are unable to maintain the business and operational relationships of Swedish Match, or of Vectura Fertin Pharma, our financial position, results of operations or cash flows upon combining with these companies could be adversely affected. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. PMI relies heavily on the availability, reliability, and security of our information systems, networks, data, and intellectual property to, among other things, help manage our business processes and operations, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers and customers, and business partners. We have a cross-functional cybersecurity risk program developed using standard industry practices, which monitors and manages cybersecurity threats to our business and information systems. We invest in administrative, technical, and physical safeguards, including continuity planning, to enhance resilience on our core processes, to maintain information security protections of our data and to safeguard the privacy of consumers, customers, employees and business partners. Risk Management and Strategy Our cybersecurity risk program, managed by our Chief Information Security Officer (“CISO”) and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats, as follows: - Cybersecurity Threat Scenarios. Our cybersecurity risk assessment process consists of identifying and compiling a catalogue of top cybersecurity threat scenarios relevant to PMI, which facilitates risk assessments with our IT and business stakeholders. - Cybersecurity Maturity Assessment. Our risk exposure from relevant cybersecurity threat scenarios is mitigated by evaluating existing cybersecurity capabilities and corresponding maturity to identify and address areas for improvement. - Cybersecurity Threat Assessment. To establish PMI’s current and target cybersecurity risk exposure, residual risk exposure from the most relevant cybersecurity threat scenarios across IT platforms and regions is evaluated and measured based upon the cybersecurity maturity assessments. - Cybersecurity Risk Program. PMI has a cybersecurity risk program to enhance its ability to identify, prevent, mitigate, respond and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. Improvements in our cybersecurity defense capabilities are prioritized based upon the results of cybersecurity threat assessments and cybersecurity maturity assessments. Identified issues from these assessments form the improvement initiatives under our cybersecurity risk program. As discussed in more detail below under " Governance ," the program’s key improvement initiatives, their implementation status, and the overall progression in our cybersecurity capability maturity are regularly presented to the applicable governing body within PMI. In addition, our cybersecurity risk program operates in coordination with the following: Cyber Defense . Our dedicated cyber defense team provides services to identify, help prevent, detect and respond against cybersecurity threats and intrusions and collaborates with internal and external stakeholders to help protect PMI’s information, mitigate operational disruptions and maintain business continuity. The cyber defense team’s controls and procedures identify and enable escalation of cybersecurity incidents to the applicable governing body within PMI, as appropriate, to meet disclosure and reporting requirements for such incidents. 19 Third-Party Cyber Risk Management . Some of our information systems and networks are developed, supplied, or managed by third-party service providers. Our third-party cyber risk management process analyzes and seeks to control risks associated with outsourcing products or services, such as “supply chain” style cyberattacks, and identifies preventative and detective controls to mitigate third-party vendor and service provider cybersecurity risks that could adversely impact our business and operations. Education and Awareness . PMI regularly provides its workforce with mandatory cybersecurity awareness education and training addressing information security related tasks in line with our evolving information security policies, standards, procedures, and practice as well as supplemental role-based training and awareness programs. We engage external assessors and other third parties to independently evaluate our cybersecurity risk management process, including the relevance to PMI of identified cybersecurity scenarios and the results of cybersecurity maturity assessments. The outcome of such evaluations, audits or reviews are reported to the Corporate Risk Governance Committee and to the Audit & Risk Committee, and our cybersecurity policies, standards and processes are adjusted, as necessary. PMI follows a risk evaluation process for issues identified through internal audits, security assessments, third-party cybersecurity risk assessments, or self-assessment disclosures, and resulting information technology risks are recorded for risk remediation, transfer, avoidance, or acceptance as appropriate. Some of our information systems are managed by specialist third-party service providers, and we work with internal specialists to protect systems and data from unauthorized access and other cybersecurity threats. Governance The Audit and Risk Committee of our Board of Directors oversees our policies and practices with respect to risk assessment and risk management, including a review, in coordination with our management, of PMI’s management of cybersecurity. Our CISO presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans. The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), General Counsel (“GC”), Senior Vice President Operations, and our Chief Digital & Information Officer (“CDIO”). Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant communications or presentations. The Disclosure Committee’s membership includes the following executives: the Corporate Secretary; the GC; the CFO; the Controller & Principal Accounting Officer; the Chief Risk Assurance Officer; and the Vice President, Investor Relations. In addition, the CISO serves as an advisor to the Disclosure Committee. The CISO has served in various roles in information technology and information security for over 25 years, including in the telecommunications and management consultancy sectors and serving as the Chief Information Security Officer of two large public companies. The CDIO holds an engineering degree and has served in various senior positions in information technology for over 20 years, including serving as Senior Vice President, IT Sales, and Global Chief Information Officer at a public company. The CEO has served in various positions in finance and general management at PMI for over 30 years, including as Chief Financial Officer and Chief Operating Officer, and holds a master’s degree in economics. The CFO has over 15 years of experience in finance and management, having held several executive positions in charge of finance, legal affairs information systems and industry administration at various companies. The GC has served at PMI for 18 years in several positions within the Legal & Compliance department, including as Vice President and Associate General Counsel of various regions, and holds two master’s degrees having studied law, management and finance. As of the date of this Annual Report on Form 10-K, PMI is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect PMI, its business strategy, results of operations or financial condition. For additional information concerning PMI’s risks related to cybersecurity, see Item 1.A. Risk Factors . 20
Item 1C. Cybersecurity. PMI relies heavily on the availability, reliability, and security of our information systems, networks, data, and intellectual property to, among other things, help manage our business processes and operations, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers and customers, and business partners. We have a cross-functional cybersecurity risk program developed using standard industry practices, which monitors and manages cybersecurity threats to our business and information systems. We invest in administrative, technical, and physical safeguards, including continuity planning, to enhance resilience on our core processes, to maintain information security protections of our data and to safeguard the privacy of consumers, customers, employees and business partners. Risk Management and Strategy Our cybersecurity risk program, managed by our Chief Information Security Officer (“CISO”) and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats, as follows: - Cybersecurity Threat Scenarios. Our cybersecurity risk assessment process consists of identifying and compiling a catalogue of top cybersecurity threat scenarios relevant to PMI, which facilitates risk assessments with our IT and business stakeholders. - Cybersecurity Maturity Assessment. Our risk exposure from relevant cybersecurity threat scenarios is mitigated by evaluating existing cybersecurity capabilities and corresponding maturity to identify and address areas for improvement. - Cybersecurity Threat Assessment. To establish PMI’s current and target cybersecurity risk exposure, residual risk exposure from the most relevant cybersecurity threat scenarios across IT platforms and regions is evaluated and measured based upon the cybersecurity maturity assessments. - Cybersecurity Risk Program. PMI has a cybersecurity risk program to enhance its ability to identify, prevent, mitigate, respond and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. Improvements in our cybersecurity defense capabilities are prioritized based upon the results of cybersecurity threat assessments and cybersecurity maturity assessments. Identified issues from these assessments form the improvement initiatives under our cybersecurity risk program. As discussed in more detail below under " Governance ," the program’s key improvement initiatives, their implementation status, and the overall progression in our cybersecurity capability maturity are regularly presented to the applicable governing body within PMI. In addition, our cybersecurity risk program operates in coordination with the following: Cyber Defense . Our dedicated cyber defense team provides services to identify, help prevent, detect and respond against cybersecurity threats and intrusions and collaborates with internal and external stakeholders to help protect PMI’s information, mitigate operational disruptions and maintain business continuity. The cyber defense team’s controls and procedures identify and enable escalation of cybersecurity incidents to the applicable governing body within PMI, as appropriate, to meet disclosure and reporting requirements for such incidents. 19 Third-Party Cyber Risk Management . Some of our information systems and networks are developed, supplied, or managed by third-party service providers. Our third-party cyber risk management process analyzes and seeks to control risks associated with outsourcing products or services, such as “supply chain” style cyberattacks, and identifies preventative and detective controls to mitigate third-party vendor and service provider cybersecurity risks that could adversely impact our business and operations. Education and Awareness . PMI regularly provides its workforce with mandatory cybersecurity awareness education and training addressing information security related tasks in line with our evolving information security policies, standards, procedures, and practice as well as supplemental role-based training and awareness programs. We engage external assessors and other third parties to independently evaluate our cybersecurity risk management process, including the relevance to PMI of identified cybersecurity scenarios and the results of cybersecurity maturity assessments. The outcome of such evaluations, audits or reviews are reported to the Corporate Risk Governance Committee and to the Audit & Risk Committee, and our cybersecurity policies, standards and processes are adjusted, as necessary. PMI follows a risk evaluation process for issues identified through internal audits, security assessments, third-party cybersecurity risk assessments, or self-assessment disclosures, and resulting information technology risks are recorded for risk remediation, transfer, avoidance, or acceptance as appropriate. Some of our information systems are managed by specialist third-party service providers, and we work with internal specialists to protect systems and data from unauthorized access and other cybersecurity threats. Governance The Audit and Risk Committee of our Board of Directors oversees our policies and practices with respect to risk assessment and risk management, including a review, in coordination with our management, of PMI’s management of cybersecurity. Our CISO presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans. The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), General Counsel (“GC”), Senior Vice President Operations, and our Chief Digital & Information Officer (“CDIO”). Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant communications or presentations. The Disclosure Committee’s membership includes the following executives: the Corporate Secretary; the GC; the CFO; the Controller & Principal Accounting Officer; the Chief Risk Assurance Officer; and the Vice President, Investor Relations. In addition, the CISO serves as an advisor to the Disclosure Committee. The CISO has served in various roles in information technology and information security for over 25 years, including in the telecommunications and management consultancy sectors and serving as the Chief Information Security Officer of two large public companies. The CDIO holds an engineering degree and has served in various senior positions in information technology for over 20 years, including serving as Senior Vice President, IT Sales, and Global Chief Information Officer at a public company. The CEO has served in various positions in finance and general management at PMI for over 30 years, including as Chief Financial Officer and Chief Operating Officer, and holds a master’s degree in economics. The CFO has over 15 years of experience in finance and management, having held several executive positions in charge of finance, legal affairs information systems and industry administration at various companies. The GC has served at PMI for 18 years in several positions within the Legal & Compliance department, including as Vice President and Associate General Counsel of various regions, and holds two master’s degrees having studied law, management and finance. As of the date of this Annual Report on Form 10-K, PMI is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect PMI, its business strategy, results of operations or financial condition. For additional information concerning PMI’s risks related to cybersecurity, see Item 1.A. Risk Factors . 20
Company Information
Name | Philip Morris International Inc. |
CIK | 0001413329 |
SIC Description | Cigarettes |
Ticker | PM - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |