HP INC 10-K Cybersecurity GRC - 2024-12-12

Page last updated on December 13, 2024

HP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-12 20:31:46 EST.

Filings

10-K filed on 2024-12-12

HP INC filed a 10-K at 2024-12-12 20:31:46 EST
Accession Number: 0000047217-24-000080

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity HP’s work to defend against cybersecurity threats is occurring against the backdrop of an evolving global threat landscape. Like other Fortune 500 companies, we face a substantial number of cybersecurity threats-ranging from common cyberattacks such as phishing to more evolved threats that incorporate the use of AI. Our products and processes pose an attractive challenge for the most advanced of threat actors-including but not limited to those who are state-sponsored. As a global corporation with a wide range of systems and networks in place, and with customers who threat actors might also wish to target, we could face attacks not only on our own structures, but also on those of our many third-party providers and partners. In response to this threat environment, we have implemented a comprehensive cybersecurity program to assess, identify, and manage risks from cybersecurity threats. Our holistic approach is designed to integrate cybersecurity across the value chain, including in the design, development, and delivery of our products, services, solutions, and operations. Our Chief Information Security Officer (“CISO”) has responsibility for HP’s global cybersecurity program, including infrastructure and technology platforms, overseeing governance, regulatory and compliance, operations, strategy, and architecture. The CISO reports to our Chief Financial Officer. This role is responsible for building out a cybersecurity organization that is designed to enable robust security coupled with productivity for more than 70,000 global employees, contractors, and partners. The CISO supports HP’s business acceleration and transformation by identifying and managing cybersecurity risks, balancing them with business priorities, and using a contemporary security posture to support HP’s position as an industry leader. As part of this, the CISO receives reports on cybersecurity threats from a number of experienced information security officers responsible for various parts of the business on an ongoing basis and in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our cybersecurity organization collaborates heavily with technology, business and legal stakeholders to enable secure business strategy, maintain, and grow proper security oversight, enhance security monitoring and response, and quantify and reduce risks and compliance gaps. There are six key focus areas within the cybersecurity organization: enterprise security operations, architecture and security engineering, identity access management, IT risk management and compliance, governance, risk and compliance, and strategy and program delivery. Additionally, we aim to incorporate a broad range of industry-standard cybersecurity best practices throughout our cybersecurity organization. These include, among other things: - an insider threat program that coordinates resources to discourage, identify, and mitigate cybersecurity threats; - regular audits of HP cybersecurity systems and annual risk assessments of related HP systems and processes, including our information security management systems; - an incident response plan that sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate; - annual and ongoing security awareness training for employees; - a cybersecurity/information security policy, as well as an acceptable use policy that defines the permitted usage of company-provided technology and contains consequences for noncompliance; - company-wide privacy policies as well as a physical security program that secures our offices and data center facilities; - systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use; and - engagement with industry peers and participation in cybersecurity forums to share knowledge and learn from best practices. On an annual basis, the cybersecurity organization also enlists the aid of an independent third party to assess our alignment with the National Institute of Standards & Technology’s Cyber Security Framework. The assessment examines our information/cybersecurity program and its associated controls and delivers a report that documents assessment results and provides recommendations for further enhancements. The cybersecurity organization is responsible for presenting an overview of the Cybersecurity Risk Assessment Report to the Board of Directors on at least an annual basis, and the HP executive leadership team is heavily involved in implementing and resolving recommendations. From time to time, we also engage assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks. Our cybersecurity risks are evaluated by senior leadership, including as part of our enterprise risk assessments that are reviewed by the Audit Committee and our Board of Directors, and our Internal Audit function, which is an objective, independent assurance and advisory organization that helps HP achieve business objectives and conducts regular assessments, audits, and testing of the cybersecurity program and its associated controls. As of the date of this Form 10-K, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. However, there can be no guarantee that we will not experience such an event moving forward and if realized, these risks are reasonably likely to materially affect us. Additional information on cybersecurity risks we face can be found in “Risk Factors” in Item 1A of Part I of this report under the heading “System security risks, data protection breaches, cyberattacks, system outages and systems integration issues could disrupt our internal operations or services provided to customers, and could reduce our revenue, increase our expenses, damage our reputation and adversely affect our cash flows and stock price,” which should be read in conjunction with the foregoing information. Our Board, in coordination with the Audit Committee, oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Board and Audit Committee regularly review the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Board and Audit Committee regularly receive reports and presentations from management regarding our information and technology security program, including the CISO, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Board and Audit Committee, as well as ongoing updates regarding any such incident until it has been addressed.

Company Information