CUMMINS INC 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

CUMMINS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 15:57:42 EST.

Filings

10-K filed on 2025-02-11

CUMMINS INC filed a 10-K at 2025-02-11 15:57:42 EST
Accession Number: 0000026172-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Material Cybersecurity Risks, Threats and Incidents To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect us , including our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A “Risk Factors” under the heading “General,” which should be read in conjunction with the foregoing information. Cybersecurity Governance We are committed to protecting our IT assets and the data stored within these assets. This commitment includes the protection of cyber assets relevant to our operations, stakeholder data (including employee, customer and supplier data), intellectual property and our products. The Enterprise Cybersecurity function, which is responsible for the administration of our enterprise cybersecurity program, is led by the Chief Information Security Officer, who holds a degree in Management Information Systems (MIS) and a Certified Information Security Manager (CISM) designation, and has more than 20 years of IT, cybersecurity, audit and risk management experience in the industrial manufacturing industry. The Chief Information Security Officer reports to our Chief Information Officer. These leaders provide regular updates to the Audit Committee of the Board on cybersecurity risks. Through these updates, the Audit Committee receives a cybersecurity dashboard illustrating cybersecurity priorities and the status of key initiatives. The Product Cybersecurity function, which is responsible for the administration of our product cybersecurity program, is led by the Principal Engineer - Product Cybersecurity, who has more than 35 years of embedded electronic systems design experience. The Principal Engineer - Product Cybersecurity works directly with the Chief Technical Officer. These leaders provide regular updates to the SET Committee of the Board on product related cybersecurity risks. Through these updates, the SET Committee receives a report discussing product level vulnerability management, product level incident management and the status of relevant product cybersecurity activities. Our processes for oversight of cybersecurity risks are integrated into our Enterprise Risk Management (ERM) program , which is led by the Executive Director, Global Risk. To govern the ERM program, we established an Executive Risk Council that meets regularly to review and monitor our most significant enterprise risks, and our prevention, detection and mitigation plans, including with respect to cybersecurity. The Executive Risk Council is comprised of senior leaders with cross-functional experience and responsibilities. Our Board and its committees are engaged in the oversight of our most significant enterprise risks, including cybersecurity risks. We assign a member of our executive management team to report material information to our Board regarding these risks. The Audit Committee, working with the Chief Information Officer, provides oversight of the enterprise cybersecurity program. The SET Committee, working with the Chief Technical Officer, provides oversight of the product cybersecurity program. Our Board, Audit Committee and SET Committee receive reports and information from our senior leaders who have functional responsibility for the mitigation of enterprise cybersecurity and product cybersecurity risks. These leaders meet with the committees on a regular basis and provide dashboards or reports, which summarize cybersecurity risks and action plans. The committees elevate matters to the Board as appropriate. Cybersecurity Risk Management and Strategy We have an Enterprise Cybersecurity Management Review Group (Enterprise Cybersecurity MRG), which functions as a steering committee to provide oversight and strategic direction for the enterprise cybersecurity program. The Enterprise Cybersecurity MRG is comprised of senior leaders with cross-functional experience and responsibilities. This MRG meets regularly with our Chief Information Security Officer to review the enterprise cybersecurity program and related risks. The MRG receives updates on the status of key cybersecurity initiatives and is responsible for our response to material cybersecurity incidents. For material cybersecurity incidents, our process is to escalate through the MRG to the Audit Committee and Board. We have a Product Cybersecurity Management Review Group (Product Cybersecurity MRG), which functions as a steering committee to provide oversight and strategic direction for the product cybersecurity program. The Product Cybersecurity MRG is comprised of senior leaders with cross-functional experience and responsibilities. The Product Cybersecurity MRG meets regularly with the Principal Engineer - Product Cybersecurity to review the product cybersecurity program, including risks and the status of key initiatives. Both the Enterprise and Product Cybersecurity functions administer policies related to cybersecurity in consultation with other stakeholders at the company. Our risk-based cybersecurity program is designed to protect, detect, and respond to cybersecurity threats and incidents. This program, developed alongside the National Institute of Standards and Technology Cybersecurity Framework, aims to protect the confidentiality, integrity, and availability of our IT assets and the data stored thereon. We also have a third-party risk management process, which is designed to assess and manage cybersecurity risks posed by third parties. This process is administered by the Enterprise Cybersecurity function, and through this program, the company evaluates the type of data that is shared with certain vendors with the goal of conducting risk-informed assessments. These assessments provide insights which the Enterprise Cybersecurity function uses to better manage third-party risks. A cybersecurity operations team is in place to regularly monitor the environment for cybersecurity threats and incidents. We have incident response plans to assess and manage cybersecurity incidents. These plans include escalation procedures based on the nature and severity of the incident. The most critical incidents, which could be material to us, are escalated to executive management and the Enterprise Cybersecurity MRG. In addition, cyber insurance is in place, which may mitigate the impact of cybersecurity incidents. We engage outside experts where appropriate to aid in maturing, implementing and testing the cybersecurity program and to review our cybersecurity operations. This includes incident response testing through tabletop exercises facilitated by external consultants. We have implemented training and awareness programs to educate our employees on cybersecurity risks, which includes regular educational phishing campaigns, and our Internal Audit function performs regular assessments of the design and operational effectiveness of the program’s key processes and controls. We will continue to develop and mature our cybersecurity operations to respond to the dynamic cybersecurity landscape.

Company Information