Hewlett Packard Enterprise Co 10-K Cybersecurity GRC - 2024-12-19

Page last updated on December 19, 2024

Hewlett Packard Enterprise Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-19 08:20:59 EST.

Filings

10-K filed on 2024-12-19

Hewlett Packard Enterprise Co filed a 10-K at 2024-12-19 08:20:59 EST
Accession Number: 0001645590-24-000139

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. Risk Management and Strategy Our Cybersecurity and Digital Risk Management (“CDRM”) organization, under the leadership of a Global Chief Information Security Officer (“Global CISO”), operates a cybersecurity program that is designed to help us assess, identify, manage, and mitigate risks relating to cybersecurity threats and incidents. We design our cybersecurity standards, policies, processes and controls to operate in an integrated manner, leveraging applicable industry standards and security frameworks, including the NIST Cybersecurity Framework, as guides in supporting our ability to perform such functions. CDRM manages our cybersecurity program, including by fostering collaboration with partners across business units and functional areas to identify and assess material cybersecurity threats, evaluate their severity, and explore ways to mitigate and manage such risks. Business units and functional areas are responsible for managing risks and implementing our policies and standards within the respective business unit or function. Compliance with our policies and standards is assessed by CDRM in conjunction with our internal audit function, through periodic cybersecurity audits. As part of our cybersecurity program, we maintain a Cyber Risk Management Program that seeks to address key risk management concepts, including mission and vision, escalation path for risk mitigation, risk assessments, and risk treatment. We do so by conducting a variety of planning and preparedness activities, including employing monitoring tools to identify suspicious or anomalous activity, vulnerabilities, or signs of compromise across our networks, systems, and data. We utilize data from attack surface management tools to produce a prioritized set of vulnerabilities for remediation. We also require mandatory cybersecurity training for employees and periodically conduct Company-wide phishing simulations. To aide in assessing material risks from cybersecurity threats, our enterprise risk management (“ERM”) program incorporates cybersecurity risks as part of its process to assess overall risk of the Company. The ERM organization supports management by facilitating a semi-annual risk assessment, which documents the priority and status of these risks and aligns them with our strategic mitigation efforts. ERM is structured using a framework based on guidance from the Committee of Sponsoring Organizations of the Treadway Commission on Enterprise Risk Management Integrating Strategy with Performance. Within CDRM, our Cybersecurity Defense Center (“CDC”) has established policies, processes, and controls that are designed to monitor, detect, investigate, respond to, and escalate management of cybersecurity threats and incidents. If we experience a cybersecurity incident, the CDC activates an incident response plan, which includes processes to enable us to triage, assess severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with applicable legal obligations and mitigate brand and reputational harm. Based on initial investigation into such incident’s impact to the Company, the actor(s) involved, and other factors, the CDC assigns a severity level to an incident, which dictates the escalation path for a given incident. For incidents rising to higher levels of severity, the Cyber Governance and Incident Disclosure Committee, a cross-functional committee spanning cybersecurity, IT, legal, finance, enterprise risk management, and compliance teams, assesses the severity and potential materiality of such incidents and, as appropriate, escalates to designated members of our senior management for further assessment, response, and remediation. Additionally, we have established a Cyber Crisis Management Team, responsible for addressing and responding to the most severe cyber incidents. If warranted, senior management notifies the Audit Committee and/or the full Board of Directors, as appropriate. Throughout this process, the CDC continues to investigate the incident and, as its understanding of the incident evolves, updates its severity assessment, as necessary. We engage third-party security experts, assessors, and consultants, as appropriate, to assess our cybersecurity risk management processes; support our ongoing certification efforts; help identify areas for continued focus, improvement, and compliance; and support incident response functions, to the extent necessary, all of which support our cybersecurity program. From time to time, we conduct third-party-administered, as well as internally administered, tabletop exercises, which simulate cybersecurity threats, to assess our existing cybersecurity infrastructure and incident response processes. We also periodically conduct offensive security assessments and vulnerability tests, and continuously monitor our computing environments to gain visibility into our security posture and detect vulnerabilities, abnormalities, or signs of compromise. In addition to monitoring risks from threats to our own assets, we administer third-party risk management practices that endeavor to help identify and manage supply chain and vendor risk arising from some of our key suppliers and other service provider organizations. We do so in a variety of ways, such as gathering information on third parties’ cybersecurity programs and controls, performing due diligence, undertaking cybersecurity reviews and/or audits, and/or mandating certain contractual requirements, such as notification of cybersecurity incidents. 36 Table of Conte n t Governance Our Global CISO, who reports to our Chief Operating and Legal Officer (“COLO”), has principal management-level responsibility for our cybersecurity program, which includes assessing and managing our cybersecurity risks, along with developing and implementing cybersecurity processes, policies, and controls that are used for managing cybersecurity risk across the Company. Our Global CISO is supported by the CISO of Cyber Defense and the CISO of Cyber Governance - both of whom have extensive experience in private sector cybersecurity roles - and a team of cybersecurity professionals with relevant educational and industry experience. The Global CISO periodically meets with the Cyber Governance and Incident Disclosure Committee, our enterprise risk management function and chief-level executives to discuss cybersecurity risks, as well as related mitigation and remediation activities. The CDC monitors the prevention, detection, investigation, mitigation, response to, and remediation of cybersecurity incidents, and regularly reports to our CISO of Cyber Defense, who then subsequently reports to the Global CISO. Our Board of Directors is responsible for overseeing cybersecurity risk, primarily through the Audit Committee. Cybersecurity reviews by the Audit Committee and the Board of Directors are scheduled to occur at least quarterly and annually, respectively, or more frequently, as deemed necessary or advisable. Such presentations to the Audit Committee and Board of Directors, as applicable, are made by our COLO and Global CISO and address topics such as cybersecurity threats, incidents, risks, results from internal and third-party assessments, progress towards risk-mitigation goals, the functioning of our incident response program, and regulatory developments. At times, the Audit Committee may receive additional cybersecurity risk reviews from other members of management and/or internal cybersecurity experts on certain of our key business segments and products. The Audit Committee regularly reports to our Board of Directors regarding the committee’s oversight of such cybersecurity matters. Additionally, the COLO and Global CISO may provide ad hoc updates to the Board of Directors and/or the Audit Committee if necessitated by a security incident or other significant developments. HPE, like all organizations operating in the technology landscape, faces significant and persistent cybersecurity risks. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected us, including our business strategy, results of operations, or financial condition. Notwithstanding our cybersecurity program, we may not be successful in identifying a cybersecurity risk or preventing or mitigating a cybersecurity incident or vulnerability, which if realized, could reasonably likely materially affect us. Additional information on the cybersecurity risks we face can be found in the section titled “Risk Factors” in Item 1A of Part I of this Annual Report on Form 10-K. Our prior Global CISO departed HPE at the end of October 2024. We have identified a successor, who will join HPE in January 2025, previously served in relevant leadership positions at other public and private companies, and will bring over two decades of technology experience spanning information security and IT, including serving as CISO at other large companies. In the interim, our CDRM organization has been and will be led by our CISO of Cyber Defense and CISO of Cyber Governance, both reporting directly to our COLO.

Company Information