Kyndryl Holdings, Inc. 10-K Cybersecurity GRC - 2024-05-30

Page last updated on July 16, 2024

Kyndryl Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-30 16:44:06 EDT.

Filings

10-K filed on 2024-05-30

Kyndryl Holdings, Inc. filed a 10-K at 2024-05-30 16:44:06 EDT
Accession Number: 0001558370-24-008788

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the critical importance of cybersecurity in upholding the safety and security of our systems, services and data and maintaining the trust of our customers. Cybersecurity risk management is an important part of, and is integrated into, the Company’s overall enterprise risk management program. We maintain a cybersecurity risk management program that is designed to identify, assess, manage and mitigate cybersecurity risks and provides a framework for responding to cybersecurity threats and incidents. We continually assess and enhance our cybersecurity risk management program and our cybersecurity posture to protect the confidentiality, integrity and availability of the Company’s infrastructure, resources and information and the information that our customers entrust to us. We designed a multi-faceted risk-management approach based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and informed by other industry standards and industry-recognized practices to identify and address cybersecurity risks. Our key cybersecurity processes include the following: ● Risk-based, layered controls - We regularly assess and adjust our technical controls and methods to identify, respond to and mitigate emerging cybersecurity risks and use a layered approach with overlapping controls to defend against cybersecurity attacks and threats to our networks, end-user devices, servers, applications, data and cloud solutions and the data that our customers entrust to us. ● Cybersecurity incident response plan and testing - We have a global incident response process and a dedicated team responsible for monitoring, detecting and responding to cybersecurity threats and attacks, whether external or internal, coordinating across multiple functions, periodically testing our protocols and regularly communicating and providing reports to our CISO. ● Information sharing and collaboration - We utilize threat intelligence and security information collected from various sources, including but not limited to partners, suppliers, governments and information sharing and analysis centers, to identify, protect against, detect and respond to potential cybersecurity threats and events. ● Training and awareness - We use a combination of online training, including mandatory annual cybersecurity and privacy courses, educational tools, videos and other ongoing awareness initiatives, including phishing simulation exercises, throughout the year to foster a culture of security awareness and responsibility among our workforce. ● Third-party supplier risk assessments - Recognizing that our suppliers can be subject to cybersecurity incidents which may impact us and our customers, our procurement process includes security and risk assessments to identify and evaluate risk associated with certain key suppliers, including reviewing relevant cybersecurity certifications and third-party audit results, assessing technical and organizational controls and evaluating their risk profile. We periodically engage third-party security consultants to conduct evaluations of our cybersecurity controls and procedures, including through penetration testing, third-party audits or consulting on best practices to address new challenges. These evaluations include testing the design and operational effectiveness of our cybersecurity controls and procedures. Our internal audit function conducts additional reviews and assessments of our cybersecurity controls and procedures. Certain results of such assessments and reviews are reported to the Audit Committee and the Board of Directors as appropriate. We use the findings from these efforts to improve our practices, procedures, and technologies. Cybersecurity Risk Oversight and Governance Our Board of Directors is responsible for the overall oversight of our enterprise risk management. The Audit Committee semi-annually reviews the Company’s enterprise risk management framework, including enterprise risk management processes, and assists the Board of Directors in its oversight over certain key areas of risks, including overseeing cybersecurity, data governance and privacy risk and regularly reporting on such matters to the Board. The Audit Committee and full Board of Directors receive periodic updates from our CISO about Kyndryl’s cybersecurity policies and practices, cybersecurity developments, trends, risks, notable incidents, mitigation strategies, maturity initiatives and other developments throughout the year, as well as periodic updates from our CIO, Security & Resiliency global practice leader and other senior leaders on cybersecurity-related matters. Our information security program is led by our CISO, who reports to the CIO. Our CISO organization collaborates closely with key stakeholders across the businesses, including our Security & Resiliency and other global practice organizations, in developing and implementing our cybersecurity strategy, policy, operations, threat detection and incident response and remediation. Our information security teams that support these efforts are comprised of cybersecurity professionals with many years of experience in cybersecurity across multiple sectors, including heavily regulated industries such as financial services and defense, and many of them hold relevant industry certifications. Under our global incident response process, cybersecurity incidents are assessed and classified by severity, and significant incidents are escalated as appropriate to senior executive leadership. In addition, we have a risk-based escalation process outside of our regular reporting process to promptly notify the Board of Directors in the event of any material cybersecurity incident impacting the Company. Based on the information we have as of the date of this Form 10-K, we do not believe that any cybersecurity incident experienced by the Company has materially affected or is reasonably likely to materially affect Kyndryl, including our business strategy, results of operations or financial condition. For additional information about cybersecurity risks, s ee Item 1A. “Risk Factors.”

Company Information