FORD MOTOR CO 10-K Cybersecurity GRC - 2025-02-05

Page last updated on February 6, 2025

FORD MOTOR CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-05 20:44:08 EST.

Filings

10-K filed on 2025-02-05

FORD MOTOR CO filed a 10-K at 2025-02-05 20:44:08 EST
Accession Number: 0000037996-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. Cybersecurity Strategy and Risk Management We devote significant resources to our security program that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. We believe our cybersecurity program is reasonably designed to protect our information systems, software, networks, and other assets against, and mitigate the effects of cybersecurity incidents where unauthorized parties attempt, among other things, to disrupt or degrade service or our operations; misuse or abuse technology and information systems; make unauthorized disclosure of data; or otherwise cause harm to the Company, our customers, suppliers, or dealers, or other key stakeholders. We employ capabilities, processes, and other security measures we believe are reasonably designed to reduce and mitigate these risks, and have requirements for our suppliers and service providers to do the same. Despite having thorough due diligence, onboarding, and cybersecurity assessment processes in place for our suppliers and service providers, the responsibility ultimately rests with those parties to establish and maintain their respective cybersecurity programs. Our ability to monitor the cybersecurity practices of third parties is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks, and other assets owned or controlled by each of them. When we become aware that a supplier or service provider’s cybersecurity has been compromised, we attempt to mitigate the risk to the Company, including, if appropriate and feasible, by terminating the supplier’s connection to our information systems. In an effort to effectively prevent, detect, and respond to cybersecurity threats, we employ a multi-layered cybersecurity risk management program supervised by our Chief Information Security Officer, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, architecture, and processes. This responsibility includes identifying, considering, and assessing potentially material cybersecurity incidents on an ongoing basis, establishing processes designed to prevent and monitor potential cybersecurity risks, implementing mitigation and remedial measures, and maintaining our cybersecurity program. Our program is informed by and designed to comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our program leverages both internal and external techniques and expertise. Internally, we perform penetration tests, internal tests/code reviews, and red team exercises, among other things, to evaluate aspects of our cybersecurity program. We also perform phishing and social engineering simulations with, and provide cybersecurity training for, personnel with Company email and access to Company assets, and regularly circulate security awareness newsletters to employees. Externally, we monitor notifications from the U.S. Computer Emergency Readiness Team (“CERT”) and various Information Sharing and Analysis Centers (each an “ISAC”); review customer, media, and third-party cybersecurity reports; and operate a bug bounty program. Our cybersecurity program also includes disaster recovery and incident response plans, including a ransomware response plan which is regularly tested and evaluated in tabletop simulations. The Company’s global cybersecurity incident response is also overseen by our Chief Information Security Officer. Our Chief Information Security Officer has served in that role for over 7 years and has over a decade of engineering and operations expertise with cybersecurity technologies and services. Our Chief Information Security Officer reports to our Chief Enterprise Technology Officer who has spent over two decades managing cybersecurity risks as a leader at enterprise software and Fortune 50 companies. Our Chief Enterprise Technology Officer reports directly to our Chief Executive Officer. When a cybersecurity threat or incident is identified, our policy is to review and triage the threat or incident, and to then manage it to conclusion in accordance with our cybersecurity incident response processes. When a cybersecurity incident is determined to be significant, it is addressed by management committees using processes that leverage subject-matter expertise from across the Company. Further, we have in the past and may in the future engage with third-party advisors and government and law enforcement agencies as part of our incident management processes. All cybersecurity incidents that are identified as reasonably having the potential to be highly significant to the Company are brought to the attention of both the Chief Enterprise Technology Officer and Chief Policy Officer and General Counsel by the Chief Information Security Officer as part of our cybersecurity incident response processes. 32 ITEM 1C. Cybersecurity (Continued) Cybersecurity Governance and Oversight Cybersecurity risk identification, assessment, and management are integrated into our overall enterprise risk management program. As part of its enterprise risk management efforts, the Board meets with senior management, including the executive leadership team, to assess and respond to critical business risks. These critical enterprise risks are assessed by senior management annually and discussed with the Board. Then each of the top risks are validated, prioritized, and assigned risk owners who are responsible to oversee risk assessment, develop and implement mitigation plans, and provide regular updates to the Board (and/or Board committee assigned to the risk). In this way, critical business risks, including cybersecurity risk, benefit from both top-down and bottom-up risk management efforts that we believe are reasonably designed to escalate key risk and control issues to senior management and the Board. As a result of this enterprise risk management process, cybersecurity threats have been and continue to be identified as one of the Company’s critical business risks, with our Chief Enterprise Technology Officer and Chief Information Security Officer assigned as the executive risk owners. The Chief Enterprise Technology Officer and Chief Information Security Officer monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s global cybersecurity incident response plans, which include provisions for escalation to the Chief Policy Officer and General Counsel, as well as the Board and its committees, as appropriate. As discussed below, the executive risk owners for cybersecurity risk report out to the Audit Committee and, in some cases, the Board, on a regular basis as part of our enterprise risk management process. The Board has delegated primary responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. As part of its oversight responsibilities, the Audit Committee receives regular updates on our cybersecurity practices as well as cybersecurity and information technology risks from our Chief Information Security Officer. These updates include topics related to cybersecurity practices, cyber risks, and risk management processes, such as updates to our cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition to these regular updates, as part of our incident response processes, the Chief Enterprise Technology Officer, in collaboration with the Chief Information Security Officer and Chief Policy Officer and General Counsel, provides updates on certain cybersecurity incidents to the Audit Committee and, in some cases, the Board. The Audit Committee reviews and provides input into and oversight of our cybersecurity processes, and in the event Ford determines it has experienced a material cybersecurity incident, the Audit Committee is notified about the incident in advance of filing a Current Report on Form 8-K. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For a discussion of whether and how cybersecurity incidents, ransomware attacks, and other disruptions to our operational information systems, security systems, vehicles, and services could reasonably be expected to affect the Company, including its business strategy, results of operations or financial condition, see our risk factors above in Item 1A. generally and, in particular, " Operational information systems, security systems, vehicles, and services could be affected by cybersecurity incidents, ransomware attacks, and other disruptions and impact Ford, Ford Credit, their suppliers, and dealers " on page 22. 33
ITEM 1C. Cybersecurity (Continued) Cybersecurity Governance and Oversight Cybersecurity risk identification, assessment, and management are integrated into our overall enterprise risk management program. As part of its enterprise risk management efforts, the Board meets with senior management, including the executive leadership team, to assess and respond to critical business risks. These critical enterprise risks are assessed by senior management annually and discussed with the Board. Then each of the top risks are validated, prioritized, and assigned risk owners who are responsible to oversee risk assessment, develop and implement mitigation plans, and provide regular updates to the Board (and/or Board committee assigned to the risk). In this way, critical business risks, including cybersecurity risk, benefit from both top-down and bottom-up risk management efforts that we believe are reasonably designed to escalate key risk and control issues to senior management and the Board. As a result of this enterprise risk management process, cybersecurity threats have been and continue to be identified as one of the Company’s critical business risks, with our Chief Enterprise Technology Officer and Chief Information Security Officer assigned as the executive risk owners. The Chief Enterprise Technology Officer and Chief Information Security Officer monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s global cybersecurity incident response plans, which include provisions for escalation to the Chief Policy Officer and General Counsel, as well as the Board and its committees, as appropriate. As discussed below, the executive risk owners for cybersecurity risk report out to the Audit Committee and, in some cases, the Board, on a regular basis as part of our enterprise risk management process. The Board has delegated primary responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. As part of its oversight responsibilities, the Audit Committee receives regular updates on our cybersecurity practices as well as cybersecurity and information technology risks from our Chief Information Security Officer. These updates include topics related to cybersecurity practices, cyber risks, and risk management processes, such as updates to our cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition to these regular updates, as part of our incident response processes, the Chief Enterprise Technology Officer, in collaboration with the Chief Information Security Officer and Chief Policy Officer and General Counsel, provides updates on certain cybersecurity incidents to the Audit Committee and, in some cases, the Board. The Audit Committee reviews and provides input into and oversight of our cybersecurity processes, and in the event Ford determines it has experienced a material cybersecurity incident, the Audit Committee is notified about the incident in advance of filing a Current Report on Form 8-K. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For a discussion of whether and how cybersecurity incidents, ransomware attacks, and other disruptions to our operational information systems, security systems, vehicles, and services could reasonably be expected to affect the Company, including its business strategy, results of operations or financial condition, see our risk factors above in Item 1A. generally and, in particular, " Operational information systems, security systems, vehicles, and services could be affected by cybersecurity incidents, ransomware attacks, and other disruptions and impact Ford, Ford Credit, their suppliers, and dealers " on page 22. 33 ITEM 2. Properties. Our principal properties include manufacturing and assembly facilities, distribution centers, warehouses, sales or administrative offices, and testing, prototype, and operations space. We own substantially all of our U.S. manufacturing and assembly facilities. Our facilities are situated in various sections of the country and include assembly plants, engine plants, casting plants, metal stamping plants, transmission plants, and other component plants. Most of our distribution centers are leased (we own approximately 34% of the total square footage and lease the balance). The majority of the warehouses that we operate are leased, although many of our manufacturing and assembly facilities contain some warehousing space. Substantially all of our sales offices are leased space. Approximately 80% of the total square footage of our testing, prototype, and operations space is owned by us. In addition, we maintain and operate manufacturing plants, assembly facilities, parts distribution centers, and engineering centers outside of the United States. We own substantially all of our non-U.S. manufacturing plants, assembly facilities, and engineering centers. The majority of our parts distribution centers outside of the United States are either leased or provided by vendors under service contracts. We and the entities that we consolidated as of December 31, 2024 use over 375 operations facilities globally, including testing and prototype, across 24 countries, and 41 manufacturing and assembly plants, which includes plants that are operated by us or our consolidated joint venture that support our Ford Blue, Ford Model e, and Ford Pro segments. We have one consolidated joint venture with manufacturing operations, which is in our Ford Blue segment: - Ford Vietnam Limited - a joint venture between Ford (75% partner) and Diesel Song Cong One Member Limited Liability Company (a subsidiary of the Vietnam Engine and Agricultural Machinery Corporation, which, in turn, is majority owned (87.43%) by the State of Vietnam represented by the Ministry of Industry and Trade) (25% partner). Ford Vietnam Limited assembles and distributes a variety of Ford passenger and commercial vehicle models. The joint venture operates one plant in Vietnam. In addition to the plants that we operate directly or that are operated by our consolidated joint venture, additional plants that support our Ford Blue, Ford Model e, and Ford Pro segments are operated by unconsolidated joint ventures of which we are a partner. The most significant of those unconsolidated joint ventures are as follows: - AutoAlliance (Thailand) Co., Ltd. (“AAT”) - a 50/50 joint venture between Ford and Mazda that owns and operates a manufacturing plant in Rayong, Thailand. AAT produces Ford and Mazda products for domestic and export sales. - BlueOval SK, LLC - a 50/50 joint venture among Ford, SK On Co., Ltd., and SK Battery America, Inc. (a wholly owned subsidiary of SK On) that is building and will operate electric vehicle battery plants in Tennessee and Kentucky to supply batteries to Ford and Ford affiliates. - Changan Ford Automobile Corporation, Ltd. (“CAF”) - a 50/50 joint venture between Ford and Chongqing Changan Automobile Co., Ltd. (“Changan”). CAF operates four assembly plants, an engine plant, and a transmission plant in China where it produces and distributes a variety of Ford and Lincoln brand passenger vehicle models. - Ford Otomotiv Sanayi Anonim Sirketi (“Ford Otosan”) - a joint venture in Türkiye among Ford (41% partner), the Koc Group of Türkiye (41% partner), and public investors (18%) that is the sole supplier to us of the Transit, Transit Custom, and Transit Courier commercial vehicles and the Puma for Europe and the sole distributor of Ford vehicles in Türkiye. Ford Otosan also manufactures Ford heavy trucks for markets in Europe, the Middle East, and Africa. The joint venture owns three plants, a parts distribution depot, and a research and development center in Türkiye, and a combined vehicle and engine plant in Romania. 34

Company Information