CARPENTER TECHNOLOGY CORP 10-K Cybersecurity GRC - 2024-08-13

Page last updated on August 13, 2024

CARPENTER TECHNOLOGY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-13 15:47:27 EDT.

Filings

10-K filed on 2024-08-13

CARPENTER TECHNOLOGY CORP filed a 10-K at 2024-08-13 15:47:27 EDT
Accession Number: 0000017843-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Carpenter Technology’s cybersecurity team and organizational partnerships are designed to protect our employees, intellectual property and customers from various cyber threats. Our cybersecurity team strives to achieve these protections through obtaining leading certifications and regular engagement with third parties and federal organizations to further protect our information. While we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks and data or those of our third party providers. See “Item 1A. Risk Factors” for a discussion of cybersecurity risks. Risk Management and Strategy As cybersecurity risks continue to evolve and potentially affect businesses globally, Carpenter Technology understands that protecting business, employee, and customer information, data, and systems is of critical importance. Through a series of cybersecurity imperatives aligned with the National Institute of Standards and Technology (NIST), Carpenter Technology assesses, identifies and manages potential cyber risks. Imperatives include: - Increasing Visibility: Improve understanding of what to protect - Rapid Response: Mitigate the amount of damage that could occur - Shrink Surface of Attack: Reduce the total resources exposed to cyber threat - Identity Management: Ensure the right people have correct access - Supply Chain Risk Management: Manage security risks introduced by vendors and third parties - Data-Centric Security: Protect data throughout the lifecycle Carpenter Technology’s multi-faceted cybersecurity program includes implementation of leading technologies to detect evolving cyber threats, recurring regular cybersecurity training to keep employees situationally aware, mock security exercises to prepare for rapid response, penetration tests to continuously improve operations, and internal audits to confirm controls are operating effectively. Carpenter Technology also maintains strong partnerships with law enforcement, leading academic institutions and peers in the manufacturing industry to stay informed of the latest cybersecurity developments and trends in the ever-evolving threat landscape. Employees annually review and acknowledge an information systems Acceptable Use Policy. Information Technology associates participate in comprehensive annual training including DFARS and Sarbanes-Oxley compliance training. Carpenter Technology maintains a Cybersecurity Incident Response Plan (“CIRP”) which provides specific guidance and documentation for proper incident handling and communication. The CIRP applies to all locations and situations where Carpenter Technology business is conducted. All cybersecurity incidents, regardless of severity, are to be promptly handled according to this plan. The CIRP will invoke Carpenter Technology’s business continuity and crisis management processes for the most severe incidents. Additionally, Carpenter Technology leverages third party security firms in various capacities to assist with various aspects of Carpenter Technology’s cybersecurity program, including risk assessments, vulnerability scans, and penetration testing. Carpenter Technology uses a variety of processes to address cybersecurity threats related to the use of third party technology and services, such as reviewing independent assessments of the third party’s cyber/information security controls, such as Systems and Organization Controls 2 audits or other standards-based assessments, where appropriate. As part of Carpenter Technology’s process to continuously improve its cyber and information security programs, Carpenter Technology also engages third party subject matter experts to assess and evaluate the effectiveness of various aspects of such programs. As of the date of this Annual Report on Form 10-K, we are not aware of any risks from the cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. Governance Board of Directors Oversight The Board of Directors is provided regular updates on the Company’s cybersecurity program. The Audit/Finance Committee of the Board of Directors oversees the Company’s risk management program, including cyber and information security. The Board of Directors is also regularly briefed on Carpenter Technology’s cybersecurity risks and mitigation efforts. The oversight of our cybersecurity risk is integrated into our Enterprise Risk Management (“ERM”) process owned by management and facilitated by Carpenter Technology’s Internal Audit department. The ERM program includes an annual risk prioritization process designed to identify key enterprise risks. Each key enterprise risk is assigned risk owners to establish action plans and implement risk mitigation strategies. The annual risk assessment is presented to the full Board of Directors at least once per year, with regular updates presented quarterly to the Audit/Finance Committee. Management’s Role in Cybersecurity Risk Management We have a dedicated Chief Information Security Officer (“CISO”) with overall responsibility for the cybersecurity program, including threat detection and response, vulnerability management, governance, risk and compliance, security strategy and architecture, security engineering and operations, product and operational technology security. The current CISO has 15+ years of experience in the cybersecurity field and has broad expertise in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training and incident response. The CISO’s credentials include a Master of Science Degree in Information Security Management from SANS Technology Institute and a CISO Certificate from Carnegie Mellon University. The CISO holds multiple certifications including CISSP, CISA, GCIH, GCIA and PMP. Pursuant to our formal CIRP, suspected cybersecurity incidents are first evaluated by the Carpenter Technology Cybersecurity Team Leader who follows the guidance as outlined in the CIRP to respond to cybersecurity incidents and escalate as necessary based on a defined severity matrix. Based on the nature and severity of the incident, the response team may be comprised of representatives from our Information Technology, Human Resources, Safety, Legal, Finance and Communications departments, who jointly determine if the incident may result in a business interruption, require reporting to regulators, employees and/or business partners, have a material financial impact or cause reputational harm and should be escalated to the executive crisis response team, which includes Chief Executive Officer, Chief Financial Officer and General Counsel. For all matters that have been escalated, the responsible team executes specified procedures to contain the incident, implement incident response procedures and implement and document remediation measures.

Company Information