Page last updated on February 6, 2025
Philip Morris International Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-06 07:16:19 EST.
Filings
10-K filed on 2025-02-06
Philip Morris International Inc. filed a 10-K at 2025-02-06 07:16:19 EST
Accession Number: 0001413329-25-000013
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity for a description of our cybersecurity risk management and strategy and governance. Our or our business partners’ failure or inability to adhere to privacy, data, artificial intelligence and information security laws could result in business disruption, loss of reputation and consumer trust, litigation, regulatory action including significant fines or penalties, financial impact, and loss of revenue, assets or personal, confidential, or sensitive data. An actual or alleged failure to comply with complex and changing privacy, data, artificial intelligence and information security laws and regulations under the EU General Data Protection Regulation, various U.S. state and federal laws, and other similar privacy and information security laws across the jurisdictions in which PMI operates, such as the failure to protect personal data; implement appropriate technological and reasonable security measures; implement and maintain appropriate safeguards for personal data being transferred internationally; respect the privacy rights of data subjects; provide sufficient detailed notices of personal data processing; retrieve consent and provide opt-outs; meet stringent timeframe requirements for incident reporting to regulatory authorities; comply with artificial intelligence regulations, and others, could have a material adverse effect on us, subject us to substantial fines and/or legal challenges, and/or harm our business, reputation, financial condition, or operating results. Such laws and regulations across the jurisdictions in which PMI operates may vary, resulting in inconsistent or conflicting legal obligations. Although we maintain a cyber 18 liability insurance policy to address many of these risks, such policy may not be sufficient to prevent a cybersecurity incident or attack from resulting in a material adverse effect on our business, reputation, financial condition, or operating results. Risks Related to Acquisitions and Divestitures We may not successfully identify, complete, or realize the benefits from strategic acquisitions, divestitures, joint ventures, or investments. From time to time, we evaluate acquisition candidates, joint ventures, or investments that may strategically fit our business objectives. As a result of some of these evaluations, we have acquired and may acquire in the future certain businesses (or parts of businesses) or assets. We have also divested and may divest businesses from time to time. These activities may present financial, managerial, and operational risks including, but not limited to, diversion of management’s attention from existing core businesses; difficulties in integrating, or inability to successfully integrate, acquired businesses, including integrating or separating personnel, information technology, financial and other systems; inability to effectively and immediately implement control environment processes across a diverse employee population; adverse effects on existing or acquired customer and supplier business relationships; potential disputes with buyers, sellers, or partners, as well as other unanticipated problems or liabilities, such as contingent liabilities and litigation. Activities in such areas are regulated by numerous antitrust and competition laws in the United States, the European Union, the United Kingdom, and elsewhere. We have in the past and may in the future be required to obtain approval of these transactions by competition or other regulatory authorities or to satisfy certain legal requirements, and we may be unable to obtain such approvals or satisfy such requirements, each of which may result in additional costs, delays, or our inability to complete such transactions. Any of these factors could prevent us from realizing the anticipated benefits of any such transaction and/or could materially and adversely affect our financial condition and operating results. We may face additional risks related to divestitures. For example, risks related to our ability to find appropriate buyers, execute transactions on favorable terms, separate divested business operations with minimal impact to our remaining operations, and effectively manage any transitional or long-term service arrangements. Further, our divestiture activities may require us to recognize impairment charges. Any of these factors could materially and adversely affect our financial condition and operating results. Accounting adjustments related to acquisitions could adversely affect our financial results. Given the nature of assets acquired through acquisitions, we may not be able to avoid future impairments of those assets, which may also have a material adverse impact on our future operating results and financial position. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. PMI relies heavily on the availability, reliability, and security of our information systems, networks, data, and intellectual property to, among other things, help manage our business processes and operations, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers and customers, and business partners. We have a cross-functional cybersecurity risk program developed using standard industry practices, which monitors and manages cybersecurity threats to our business and information systems. We invest in administrative, technical, and physical safeguards, including continuity planning, to enhance resilience on our core processes, to maintain information security protections of our data and to safeguard the privacy of consumers, customers, employees and business partners. As of the date of this Form 10-K, cybersecurity threats have not materially affected our business, financial condition, or operating results. Risk Management and Strategy Our cybersecurity risk program, managed by our Chief Information Security Officer (“CISO”) and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats , as follows: - Cybersecurity Threat Scenarios. Our cybersecurity risk assessment process consists of identifying and compiling a catalogue of top cybersecurity threat scenarios relevant to PMI, which facilitates risk assessments with our IT and business stakeholders. 19 - Cybersecurity Maturity Assessment. Our risk exposure from relevant cybersecurity threat scenarios is mitigated by evaluating existing cybersecurity capabilities and corresponding maturity to identify and address areas for improvement. - Cybersecurity Threat Assessment. To establish PMI’s current and target cybersecurity risk exposure, residual risk exposure from the most relevant cybersecurity threat scenarios across IT platforms and regions is evaluated and measured based upon the cybersecurity maturity assessments. - Cybersecurity Risk Program. PMI has a cybersecurity risk program to enhance its ability to identify, prevent, mitigate, respond and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. Improvements in our cybersecurity defense capabilities are prioritized based upon the results of cybersecurity threat assessments and cybersecurity maturity assessments. Identified issues from these assessments form the improvement initiatives under our cybersecurity risk program. As discussed in more detail below under " Governance ," the program’s key improvement initiatives, their implementation status, and the overall progression in our cybersecurity capability maturity are regularly presented to the applicable governing body within PMI. In addition, our cybersecurity risk program operates in coordination with the following: Cyber Defense . Our dedicated cyber defense team provides services to identify, help prevent, detect and respond against cybersecurity threats and intrusions and collaborates with internal and external stakeholders to help protect PMI’s information, mitigate operational disruptions and maintain business continuity. The cyber defense team’s controls and procedures identify and enable escalation of cybersecurity incidents to the applicable governing body within PMI, as appropriate, to meet disclosure and reporting requirements for such incidents. Third-Party Cyber Risk Management . Some of our information systems and networks are developed, supplied, or managed by third-party service providers. Our third-party cyber risk management process analyzes and seeks to control risks associated with outsourcing products or services, such as “supply chain” style cyberattacks, and identifies preventative and detective controls to mitigate third-party vendor and service provider cybersecurity risks that could adversely impact our business and operations. Education and Awareness . PMI regularly and annually provides its in scope workforce with mandatory cybersecurity awareness education and training addressing information security related tasks in line with our evolving information security policies, standards, procedures, and practice as well as supplemental role-based training and awareness programs. We engage external assessors, auditors and other third parties to independently evaluate our cybersecurity risk management process and related controls, including the relevance to PMI of identified cybersecurity scenarios and the results of cybersecurity maturity assessments. The outcome of such evaluations, audits or reviews are reported to the Corporate Risk Governance Committee and to the Audit & Risk Committee, and our cybersecurity policies, standards and processes are adjusted, as necessary. PMI follows a risk evaluation process for issues identified through internal audits, security assessments, third-party cybersecurity risk assessments, or self-assessment disclosures, and resulting information technology risks are recorded for risk remediation, transfer, avoidance, or acceptance as appropriate. Some of our information systems are managed by specialist third-party service providers, and we work with internal specialists to protect systems and data from unauthorized access and other cybersecurity threats. Governance The Audit and Risk Committee of our Board of Directors oversees our policies and practices with respect to risk assessment and risk management, including a review, in coordination with our management, of PMI’s management of cybersecurity. Our CISO presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans. The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), General Counsel (“GC”), Senior Vice President Operations, and our Chief Digital & Information Officer (“CDIO”). Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant 20 communications or presentations. The Disclosure Committee’s membership includes the following executives: the Corporate Secretary; the GC; the CFO; the Controller & Principal Accounting Officer; the Chief Risk Assurance Officer; and the Vice President, Investor Relations. In addition, the CISO serves as an advisor to the Disclosure Committee. The CISO has served in various roles in information technology and information security for over 25 years, including in the telecommunications and management consultancy sectors and serving as the Chief Information Security Officer of two large public companies. The CDIO holds an engineering degree and has served in various senior positions in information technology for over 20 years, including serving as Senior Vice President, IT Sales, and Global Chief Information Officer at a public company. The CEO has served in various positions in finance and general management at PMI for over 30 years, including as Chief Financial Officer and Chief Operating Officer, and holds a master’s degree in economics. The CFO has over 15 years of experience in finance and management, having held several executive positions in charge of finance, legal affairs information systems and industry administration at various companies. The GC has served at PMI for 18 years in several positions within the Legal & Compliance department, including as Vice President and Associate General Counsel of various regions, and holds two master’s degrees having studied law, management and finance. As of the date of this Annual Report on Form 10-K, PMI is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect PMI, its business strategy, results of operations or financial condition. For additional information concerning PMI’s risks related to cybersecurity, see Item 1.A. Risk Factors .
Item 1C. Cybersecurity. PMI relies heavily on the availability, reliability, and security of our information systems, networks, data, and intellectual property to, among other things, help manage our business processes and operations, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers and customers, and business partners. We have a cross-functional cybersecurity risk program developed using standard industry practices, which monitors and manages cybersecurity threats to our business and information systems. We invest in administrative, technical, and physical safeguards, including continuity planning, to enhance resilience on our core processes, to maintain information security protections of our data and to safeguard the privacy of consumers, customers, employees and business partners. As of the date of this Form 10-K, cybersecurity threats have not materially affected our business, financial condition, or operating results. Risk Management and Strategy Our cybersecurity risk program, managed by our Chief Information Security Officer (“CISO”) and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats , as follows: - Cybersecurity Threat Scenarios. Our cybersecurity risk assessment process consists of identifying and compiling a catalogue of top cybersecurity threat scenarios relevant to PMI, which facilitates risk assessments with our IT and business stakeholders. 19 - Cybersecurity Maturity Assessment. Our risk exposure from relevant cybersecurity threat scenarios is mitigated by evaluating existing cybersecurity capabilities and corresponding maturity to identify and address areas for improvement. - Cybersecurity Threat Assessment. To establish PMI’s current and target cybersecurity risk exposure, residual risk exposure from the most relevant cybersecurity threat scenarios across IT platforms and regions is evaluated and measured based upon the cybersecurity maturity assessments. - Cybersecurity Risk Program. PMI has a cybersecurity risk program to enhance its ability to identify, prevent, mitigate, respond and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. Improvements in our cybersecurity defense capabilities are prioritized based upon the results of cybersecurity threat assessments and cybersecurity maturity assessments. Identified issues from these assessments form the improvement initiatives under our cybersecurity risk program. As discussed in more detail below under " Governance ," the program’s key improvement initiatives, their implementation status, and the overall progression in our cybersecurity capability maturity are regularly presented to the applicable governing body within PMI. In addition, our cybersecurity risk program operates in coordination with the following: Cyber Defense . Our dedicated cyber defense team provides services to identify, help prevent, detect and respond against cybersecurity threats and intrusions and collaborates with internal and external stakeholders to help protect PMI’s information, mitigate operational disruptions and maintain business continuity. The cyber defense team’s controls and procedures identify and enable escalation of cybersecurity incidents to the applicable governing body within PMI, as appropriate, to meet disclosure and reporting requirements for such incidents. Third-Party Cyber Risk Management . Some of our information systems and networks are developed, supplied, or managed by third-party service providers. Our third-party cyber risk management process analyzes and seeks to control risks associated with outsourcing products or services, such as “supply chain” style cyberattacks, and identifies preventative and detective controls to mitigate third-party vendor and service provider cybersecurity risks that could adversely impact our business and operations. Education and Awareness . PMI regularly and annually provides its in scope workforce with mandatory cybersecurity awareness education and training addressing information security related tasks in line with our evolving information security policies, standards, procedures, and practice as well as supplemental role-based training and awareness programs. We engage external assessors, auditors and other third parties to independently evaluate our cybersecurity risk management process and related controls, including the relevance to PMI of identified cybersecurity scenarios and the results of cybersecurity maturity assessments. The outcome of such evaluations, audits or reviews are reported to the Corporate Risk Governance Committee and to the Audit & Risk Committee, and our cybersecurity policies, standards and processes are adjusted, as necessary. PMI follows a risk evaluation process for issues identified through internal audits, security assessments, third-party cybersecurity risk assessments, or self-assessment disclosures, and resulting information technology risks are recorded for risk remediation, transfer, avoidance, or acceptance as appropriate. Some of our information systems are managed by specialist third-party service providers, and we work with internal specialists to protect systems and data from unauthorized access and other cybersecurity threats. Governance The Audit and Risk Committee of our Board of Directors oversees our policies and practices with respect to risk assessment and risk management, including a review, in coordination with our management, of PMI’s management of cybersecurity. Our CISO presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans. The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), General Counsel (“GC”), Senior Vice President Operations, and our Chief Digital & Information Officer (“CDIO”). Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant 20 communications or presentations. The Disclosure Committee’s membership includes the following executives: the Corporate Secretary; the GC; the CFO; the Controller & Principal Accounting Officer; the Chief Risk Assurance Officer; and the Vice President, Investor Relations. In addition, the CISO serves as an advisor to the Disclosure Committee. The CISO has served in various roles in information technology and information security for over 25 years, including in the telecommunications and management consultancy sectors and serving as the Chief Information Security Officer of two large public companies. The CDIO holds an engineering degree and has served in various senior positions in information technology for over 20 years, including serving as Senior Vice President, IT Sales, and Global Chief Information Officer at a public company. The CEO has served in various positions in finance and general management at PMI for over 30 years, including as Chief Financial Officer and Chief Operating Officer, and holds a master’s degree in economics. The CFO has over 15 years of experience in finance and management, having held several executive positions in charge of finance, legal affairs information systems and industry administration at various companies. The GC has served at PMI for 18 years in several positions within the Legal & Compliance department, including as Vice President and Associate General Counsel of various regions, and holds two master’s degrees having studied law, management and finance. As of the date of this Annual Report on Form 10-K, PMI is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect PMI, its business strategy, results of operations or financial condition. For additional information concerning PMI’s risks related to cybersecurity, see Item 1.A. Risk Factors .
Company Information
| Name | Philip Morris International Inc. |
| CIK | 0001413329 |
| SIC Description | Cigarettes |
| Ticker | PM - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |