Page last updated on July 16, 2024
GRAPHIC PACKAGING HOLDING CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:41:01 EST.
Filings
10-K filed on 2024-02-21
GRAPHIC PACKAGING HOLDING CO filed a 10-K at 2024-02-21 16:41:01 EST
Accession Number: 0001408075-24-000012
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY The Company has cybersecurity incident response policies and procedures for identifying, assessing, and managing material risks arising from cybersecurity incidents, including those arising from third-party service providers. Our cybersecurity program is based on components of the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework. The Company’s Vice President, Information Security, who has 15 years of experience in information security and has several industry certifications such as Certified Information Security Manager (“CISM”), Certified in Risk and Information Systems Control (“CRISC”), and Certified Information Privacy Professional (“CIPP”), is primarily responsible for managing and assessing cybersecurity risks. The Company uses a number of other internal and external resources to manage its information technology (“IT”) and cybersecurity operations across the Company, including global managed service providers that provide 24/7 support for all of the Company’s key IT systems and consultants who are engaged periodically to assist with the Company’s evaluation of its systems and processes for preventing and mitigating cybersecurity incidents. The Company’s global managed service providers also assess cybersecurity incidents and classify them by severity level in accordance with the Company’s Incident Response Plan, which determines how each cybersecurity incident is managed and communicated. The Incident Response Plan also outlines the procedures that the Company then follows for evaluation and recovery from an incident, including containment of the affected systems, in order to restore our systems to normal operations. To date, the Company has not had a cybersecurity event that materially impacted its operations, financial position or the security of its proprietary data. Cybersecurity incidents that are deemed Priority 1 (described in the Incident Response Plan as those incidents affecting key operational and financial systems), are reported to certain members of the Company’s Executive Leadership Team including the Chief Executive Officer, Chief Financial Officer, General Counsel and Chief Information Officer (“CIO”) for assessment of the materiality of the incident, which will be made using both quantitative and qualitative analysis to determine an incident’s immediate and reasonably likely future impacts. Cybersecurity incidents that are deemed material, either individually or in aggregate, are reported to the Audit Committee of the Company’s Board of Directors, which has been delegated the responsibility for oversight of cybersecurity risks. The Company also communicates material cybersecurity incidents to the Company’s independent auditors and internal audit team. Annually the Company conducts an Enterprise Risk Assessment during which management identifies and quantifies risks to the Company’s operations, financial position and strategy, including cybersecurity risks. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee. Working with the CIO and the Vice President, Information Security, the Audit Committee periodically reviews the strategy, priorities, and goals of the cybersecurity program and the CIO and Vice President, Information Security, provide regular updates to the Audit Committee.
Company Information
Name | GRAPHIC PACKAGING HOLDING CO |
CIK | 0001408075 |
SIC Description | Paperboard Containers & Boxes |
Ticker | GPK - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |