Page last updated on July 16, 2024
CATERPILLAR FINANCIAL SERVICES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 11:36:37 EST.
Filings
10-K filed on 2024-02-16
CATERPILLAR FINANCIAL SERVICES CORP filed a 10-K at 2024-02-16 11:36:37 EST
Accession Number: 0000764764-24-000011
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. As required by Item 106 of Regulation S-K, the following sets forth information regarding our cybersecurity strategy, risk management and governance, which is overseen by Caterpillar and forms a part of Caterpillar’s cybersecurity strategy, risk management and governance. A description of Caterpillar’s cybersecurity strategy, risk management and governance can be found under Item 1C. Cybersecurity in Caterpillar’s 2023 Annual Report on Form 10-K filed separately with the Securities and Exchange Commission. Cybersecurity Strategy and Risk Management Cybersecurity is critical to advancing our overall objectives and enabling our digital efforts. As a global company, we face a wide variety of cybersecurity threats that range from common attacks such as ransomware and denial-of-service, to attacks from more advanced adversaries. Our customers, suppliers, and other partners face similar cybersecurity threats, and a cybersecurity incident impacting these entities could materially adversely affect our operations, performance and results. These cybersecurity threats and related risks make it imperative that we maintain focus on cybersecurity and systemic risks. We maintain a comprehensive cybersecurity program which is integrated within Caterpillar’s enterprise risk management system and encompasses the corporate information technology and operational technology environments as well as customer-facing products. Our cybersecurity program has implemented a governance structure and process to identify, assess, manage, mitigate, respond to and report on cybersecurity risks. We utilize cybersecurity policies and frameworks based on industry and government standards. Our cyber risk management program controls are based on recognized best practices and standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework and the International Organization for Standardization (ISO 27001) Information Security Management System Requirements. We partner with third parties to support and evaluate our cybersecurity program. These third-party services span areas including cybersecurity maturity assessments, incident response, penetration testing, consulting on best practices, bug bounty programs, and others. We also consume threat intelligence from several paid and non-paid sources. We maintain a 24 x 7 operations center which serves as a central location for the reporting of cybersecurity matters, provides monitoring of our global cybersecurity environment, and coordinates the investigation and remediation of alerts. As cybersecurity events occur, the cybersecurity team focuses on responding to and containing the threat and minimizing impact. In the event of an incident, the cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with participation from technical, legal and law enforcement support, as appropriate. We have implemented a cybersecurity awareness program which covers topics such as phishing, social networking safety, password security and mobile device usage. We have mandatory training in the areas of cybersecurity, privacy, and confidential information handling. We also conduct regular phishing training and simulations for our employees and contractors. We provide extensive specialized role-based training to technical professionals in cybersecurity, secure application development, and other focus areas. We also conduct periodic tabletop exercises to validate our preparation for cyber events. We operate a third-party cybersecurity program with the goal of minimizing disruption to the Company’s business and production operations, strengthening supply chain resilience, and supporting the integrity of components and systems used in its products and services. We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or joint venture partner could materially adversely impact us. We assess third-party cybersecurity controls through a cybersecurity third-party risk assessment process. Identified deficiencies are addressed through a risk remediation process. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified. 13 As of the date of this report, we do not believe that risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. That said, as discussed more fully under Item 1A. “Risk Factors-Operational Risks- Increased information technology security threats and more sophisticated computer crime pose a risk to our systems, networks, products and services” of this Form 10-K, these threats pose a risk to the security of our systems and networks and the confidentiality, availability and integrity of our data. Cybersecurity attacks could also include attacks targeting customer data or the security, integrity and/or reliability of the hardware and software installed in Caterpillar products. It is possible that our information technology systems and networks, or those managed or provided by third parties, could have vulnerabilities, which could go unnoticed for a period of time. While various procedures and controls have been and are being utilized to mitigate such risks, there can be no guarantee that the actions and controls we have implemented and are implementing, or which we cause or have caused third-party service providers to implement, will be sufficient to protect and mitigate associated risks to our systems, information or other property. Cybersecurity Governance Caterpillar Cybersecurity Governance Caterpillar’s board has oversight for risk management with a focus on the most significant risks facing Caterpillar (including its wholly owned subsidiary, Cat Financial), including strategic, operational, financial and legal compliance risks. The Caterpillar board’s risk oversight process builds upon management’s risk assessment and mitigation processes, which include an enterprise risk management program of which Caterpillar’s cybersecurity processes are an integral component. Caterpillar’s board implements its risk oversight function both as a board and through delegation to board committees, which meet regularly and report back to the Caterpillar board. Caterpillar’s board has delegated the oversight of specific risks to board committees that align with their functional responsibilities. Caterpillar’s Audit Committee (the “Caterpillar AC”) assists the Caterpillar board in overseeing the enterprise risk management program and evaluates and monitors risks related to, among other things, Caterpillar’s information security program. The Caterpillar AC assesses cybersecurity and information technology risks and the controls implemented to monitor and mitigate these risks. Caterpillar’s Chief Information Officer & Senior Vice President, Caterpillar IT (the “Caterpillar CIO”) attends all bimonthly Caterpillar AC meetings and provides cybersecurity updates to the Caterpillar AC and Caterpillar board. Caterpillar’s cybersecurity program is overseen by the Caterpillar CIO, who has been a Caterpillar employee for nearly twenty-five years. Prior to her current appointment as Caterpillar’s CIO in September 2020, she was the Chief Information Officer for the Caterpillar’s Financial Products Division, which includes Cat Financial. Her extensive background in IT includes global leadership for large-scale systems transformations, cybersecurity, cloud and application management, global data center management, worldwide network, servers and storage, database management and end-user services. The Caterpillar CIO leads a cross-functional cybersecurity team comprised of professionals from Caterpillar’s product, cybersecurity, legal and compliance organizations who focus on managing the security of Caterpillar’s connected solutions. This team manages the Caterpillar’s global IT systems, IT risk management, cybersecurity, global infrastructure and IT transformations. Cat Financial Cybersecurity Governance Our Risk Committee provides oversight over our information security program and other matters related to cybersecurity. Our President serves as the chair of this committee, which includes among its members our Chief Risk Officer and our Chief Information Officer. Our cybersecurity program is managed by our Chief Information Security Officer, who reports on a regular basis to our Risk Committee on cybersecurity matters and who regularly collaborates with the Caterpillar cybersecurity team.
Item 1C. Cybersecurity in Caterpillar’s 2023 Annual Report on Form 10-K filed separately with the Securities and Exchange Commission. Cybersecurity Strategy and Risk Management Cybersecurity is critical to advancing our overall objectives and enabling our digital efforts. As a global company, we face a wide variety of cybersecurity threats that range from common attacks such as ransomware and denial-of-service, to attacks from more advanced adversaries. Our customers, suppliers, and other partners face similar cybersecurity threats, and a cybersecurity incident impacting these entities could materially adversely affect our operations, performance and results. These cybersecurity threats and related risks make it imperative that we maintain focus on cybersecurity and systemic risks. We maintain a comprehensive cybersecurity program which is integrated within Caterpillar’s enterprise risk management system and encompasses the corporate information technology and operational technology environments as well as customer-facing products. Our cybersecurity program has implemented a governance structure and process to identify, assess, manage, mitigate, respond to and report on cybersecurity risks. We utilize cybersecurity policies and frameworks based on industry and government standards. Our cyber risk management program controls are based on recognized best practices and standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework and the International Organization for Standardization (ISO 27001) Information Security Management System Requirements. We partner with third parties to support and evaluate our cybersecurity program. These third-party services span areas including cybersecurity maturity assessments, incident response, penetration testing, consulting on best practices, bug bounty programs, and others. We also consume threat intelligence from several paid and non-paid sources. We maintain a 24 x 7 operations center which serves as a central location for the reporting of cybersecurity matters, provides monitoring of our global cybersecurity environment, and coordinates the investigation and remediation of alerts. As cybersecurity events occur, the cybersecurity team focuses on responding to and containing the threat and minimizing impact. In the event of an incident, the cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with participation from technical, legal and law enforcement support, as appropriate. We have implemented a cybersecurity awareness program which covers topics such as phishing, social networking safety, password security and mobile device usage. We have mandatory training in the areas of cybersecurity, privacy, and confidential information handling. We also conduct regular phishing training and simulations for our employees and contractors. We provide extensive specialized role-based training to technical professionals in cybersecurity, secure application development, and other focus areas. We also conduct periodic tabletop exercises to validate our preparation for cyber events. We operate a third-party cybersecurity program with the goal of minimizing disruption to the Company’s business and production operations, strengthening supply chain resilience, and supporting the integrity of components and systems used in its products and services. We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or joint venture partner could materially adversely impact us. We assess third-party cybersecurity controls through a cybersecurity third-party risk assessment process. Identified deficiencies are addressed through a risk remediation process. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified. 13 As of the date of this report, we do not believe that risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. That said, as discussed more fully under Item 1A. “Risk Factors-Operational Risks- Increased information technology security threats and more sophisticated computer crime pose a risk to our systems, networks, products and services” of this Form 10-K, these threats pose a risk to the security of our systems and networks and the confidentiality, availability and integrity of our data. Cybersecurity attacks could also include attacks targeting customer data or the security, integrity and/or reliability of the hardware and software installed in Caterpillar products. It is possible that our information technology systems and networks, or those managed or provided by third parties, could have vulnerabilities, which could go unnoticed for a period of time. While various procedures and controls have been and are being utilized to mitigate such risks, there can be no guarantee that the actions and controls we have implemented and are implementing, or which we cause or have caused third-party service providers to implement, will be sufficient to protect and mitigate associated risks to our systems, information or other property. Cybersecurity Governance Caterpillar Cybersecurity Governance Caterpillar’s board has oversight for risk management with a focus on the most significant risks facing Caterpillar (including its wholly owned subsidiary, Cat Financial), including strategic, operational, financial and legal compliance risks. The Caterpillar board’s risk oversight process builds upon management’s risk assessment and mitigation processes, which include an enterprise risk management program of which Caterpillar’s cybersecurity processes are an integral component. Caterpillar’s board implements its risk oversight function both as a board and through delegation to board committees, which meet regularly and report back to the Caterpillar board. Caterpillar’s board has delegated the oversight of specific risks to board committees that align with their functional responsibilities. Caterpillar’s Audit Committee (the “Caterpillar AC”) assists the Caterpillar board in overseeing the enterprise risk management program and evaluates and monitors risks related to, among other things, Caterpillar’s information security program. The Caterpillar AC assesses cybersecurity and information technology risks and the controls implemented to monitor and mitigate these risks. Caterpillar’s Chief Information Officer & Senior Vice President, Caterpillar IT (the “Caterpillar CIO”) attends all bimonthly Caterpillar AC meetings and provides cybersecurity updates to the Caterpillar AC and Caterpillar board. Caterpillar’s cybersecurity program is overseen by the Caterpillar CIO, who has been a Caterpillar employee for nearly twenty-five years. Prior to her current appointment as Caterpillar’s CIO in September 2020, she was the Chief Information Officer for the Caterpillar’s Financial Products Division, which includes Cat Financial. Her extensive background in IT includes global leadership for large-scale systems transformations, cybersecurity, cloud and application management, global data center management, worldwide network, servers and storage, database management and end-user services. The Caterpillar CIO leads a cross-functional cybersecurity team comprised of professionals from Caterpillar’s product, cybersecurity, legal and compliance organizations who focus on managing the security of Caterpillar’s connected solutions. This team manages the Caterpillar’s global IT systems, IT risk management, cybersecurity, global infrastructure and IT transformations. Cat Financial Cybersecurity Governance Our Risk Committee provides oversight over our information security program and other matters related to cybersecurity. Our President serves as the chair of this committee, which includes among its members our Chief Risk Officer and our Chief Information Officer. Our cybersecurity program is managed by our Chief Information Security Officer, who reports on a regular basis to our Risk Committee on cybersecurity matters and who regularly collaborates with the Caterpillar cybersecurity team.
Company Information
Name | CATERPILLAR FINANCIAL SERVICES CORP |
CIK | 0000764764 |
SIC Description | Miscellaneous Business Credit Institution |
Ticker | |
Website | |
Category | Non-accelerated filer |
Fiscal Year End | December 30 |