Adient plc 10-K Cybersecurity GRC - 2024-11-18

Page last updated on November 18, 2024

Adient plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-18 16:16:51 EST.

Filings

10-K filed on 2024-11-18

Adient plc filed a 10-K at 2024-11-18 16:16:51 EST
Accession Number: 0001670541-24-000109

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Adient recognizes the critical importance of cybersecurity risk management, strategy, and governance. Adient’s focus is protecting its valuable assets and data, ensuring business continuity, and maintaining trust with customers and stakeholders. Adient’s cybersecurity risk strategy involves assessing and prioritizing potential threats, implementing robust security controls, maintaining an incident response plan and building plans to restore business capabilities and services, allowing prompt return to normal operations. Continuous monitoring and regular updates are essential to detect and respond to threats in real-time. While providing users with clear guidelines and regular updates, ensuring leadership is informed about potential risks and mitigation strategies, the Adient IT leadership team keeps executives updated on the overall cybersecurity posture and any significant incidents, while maintaining transparency with customers and shareholders. Risk Assessment Adient’s IT compliance team conducts regular risk assessments and related testing for software applications, networks and other asset vulnerabilities, including cybersecurity. Adient’s internal audit function performs an independent risk assessment, including cyber risks, to determine its annual audit plan. The IT management team also conducts cyber maturity self-assessments at least every two years, whereby risk owners are responsible to further assess and remediate, as applicable. Assessment risks are gauged on their potential impact and likelihood. Adient documents and monitors the efficacy of its strategic interventions designed to minimize these risks, ensuring robust and proactive risk management. Separately, Adient applies a risk-based approach for suppliers, by conducting risk reviews, directing surveys, and requiring adherence to its Global Supplier Standards Manual. Adient’s third-party risk assessment process is intended to equip leadership with an objective analysis of security risk for more informed decision making and enhanced organizational resilience. Adient plc | Form 10-K | 26 Risk Identification Potential malicious threats are identified through both internal and external resources and tools including, but not limited to, software information and event management software (“SIEM”), endpoint detection (“EDR”), threat intelligence services, network monitoring, and cloud monitoring. In addition, cybersecurity risks identified through external audits, customer audits, third-party monitoring services and industry benchmarking are reviewed for likelihood and impact and addressed accordingly. Adient’s cybersecurity strategy is enhanced by the integration of specialized third-party services. These providers offer critical support in pinpointing, evaluating, and managing cybersecurity risks. Adient’s suite of external resources includes threat intelligence, risk reduction, surveillance of the dark web, external assessments, scoring services, monitoring of threats and reputation, forensic analysis, cyber insurance, consultative expertise, and legal advice. For the year ended September 30, 2024, Adient did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect Adient’s business strategy, results of operations, or financial condition. For further information about the risks associated with cybersecurity incidents, refer to the cybersecurity risk factor in Item 1A, “Risk Factors” in this Form 10-K. Risk Management Adient’s management strategy includes evaluating and deploying tools and technologies for cyber protection and detection, addressing risks according to likelihood and magnitude, performing cybersecurity related tabletops, phishing exercises, engineering and architectural reviews, and penetration tests to simulate incidents, as well as conducting ongoing awareness trainings. In an ever-evolving cybersecurity landscape, Adient has established a dynamic and comprehensive security posture. Adient implements a variety of technical, physical, and organizational measures to mitigate the risks associated with cyber threats. Adient’s strategy encompasses an incident response policy with scenario-based playbooks, a detection and response program, and a vulnerability management program. Additionally, Adient maintains disaster recovery and business continuity plans, and conducts regular risk assessments. Systems monitoring and employee awareness training further fortify Adient’s defenses. To underscore Adient’s commitment to information security, Adient has secured Trusted Information Security Assessment Exchange (“TISAX”) certification at multiple international locations, ensuring Adient meets industry recognized benchmarks for protecting data. Adient employs advanced detection tools to continuously track cybersecurity threats and incidents. Upon identifying potential risks, Adient swiftly implements mitigation and remediation measures. Subsequently, pertinent threats are reported by Adient’s information security leadership team. Adient follows its cybersecurity incident response policy which outlines roles, identifies incident categories, severity levels, response activities and communication protocols that leverages the National Institute of Standards and Technology (“NIST”) Framework. Board Oversight Adient’s Board of Directors has delegated cybersecurity risk oversight to the Audit Committee. The Chief Information Officer and information security leadership regularly update the Audit Committee regarding cybersecurity programs, risks and significant incidents. The Board of Directors receives a summary of cybersecurity matters in connection with regular reports from the Audit Committee. Cybersecurity risks are also considered by the Audit Committee and the full Board of Directors as part of the annual enterprise risk management process and the annual internal audit plan, which is reviewed and approved by the Audit Committee. Management Expertise Adient’s global information operations security leader has over 30 years of experience in IT with a focus on cybersecurity for the past 25 years, reporting into Adient’s Chief Information Officer , who has over 25 years of IT related experience and who further reports into Adient’s Executive Vice President of Global IT & Business Services and Sustainability as well as the senior executive team and the Audit Committee and the Board, as necessary. Adient plc | Form 10-K | 27

Company Information