PHINIA INC. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

PHINIA INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 10:58:20 EST.

Filings

10-K filed on 2025-02-13

PHINIA INC. filed a 10-K at 2025-02-13 10:58:20 EST
Accession Number: 0001968915-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our overall risk management system and processes, we assess, identify and manage material risks from cybersecurity threats through our Enterprise Risk Management (ERM) program. For a description of cybersecurity risks relevant to our business, see Item 1A, “Risk Factors.” The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, security and availability of the information we collect and store for use in operating our business; (iii) protecting the Company’s intellectual property; (iv) maintaining the confidence of our customers, suppliers, other business partners and employees; and (v) providing appropriate disclosure of cybersecurity risks and incidents when required. Our cybersecurity and data protection policies, processes and strategies are informed by regulatory and business requirements, our prior experience addressing cybersecurity attacks and incidents (including with our former affiliates) and industry practices, and are periodically adjusted based on the results of assessments conducted through our ERM practices, third-party audits and independent reviews, and other processes. Consistent with the Company’s ERM practices, our cybersecurity policies, processes and layers of defense focus on the following areas: - Surveillance and Monitoring. The Company maintains 24/7 cybersecurity threat surveillance in conjunction with a managed security service that monitors system logs and network traffic for indicators of compromise and other suspicious activity, and conducts monthly external vulnerability assessments and annual penetration testing. - System Safeguards. The Company deploys system safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including early detection and response antivirus tools, data leak prevention tools and systems, vulnerability scans of data centers, firewalls, anti-malware functionality and access controls, and programs to support remediation, replacement or isolation of systems that have reached, or are expected to reach, end of security life. - Third-Party Collaboration. The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups, and third-party service providers, to identify, assess and respond to cybersecurity risks. - Third-Party Risk Management. The Company has processes in place for identifying and overseeing cybersecurity risks presented by third-party users of the Company’s systems, as well as third-party systems used by the Company. - Training. The Company requires personnel, including new hires, to complete training regarding cybersecurity threats, incident reporting procedures and acceptable use of our information systems. - Incident Response Planning. The Company has established and maintains a cybersecurity incident response plan that outlines an organized and timely approach for responding to and handling security incidents affecting the Company’s systems or data, including the intrusions or incidents involving data from a third party. A key part of the Company’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company’s policies and processes through audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity controls and oversight. Third-party audits and independent reviews of our cybersecurity measures, information security control environment and operating effectiveness are conducted on at least an annual basis. As a global company, we have experienced cybersecurity attacks and incidents in the past, and we could in the future experience similar attacks. To date, we have not experienced a cybersecurity incident or attack, or any risk from cybersecurity threats, that has materially affected or is reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. Governance The Board, in coordination with the Audit Committee, oversees the Company’s policies with respect to the assessment and management of risks from cybersecurity threats. The Board receives updates regarding cybersecurity risks primarily in connection with its oversight of the Company’s risk management practices. The Audit Committee receives updates regarding cybersecurity risks from the Company’s Chief Information Security Officer (CISO) and Chief Information Officer (CIO), including with respect to the assessment and management of such risks and recent developments, trends and the general threat environment, on at least a quarterly basis. The Company’s cybersecurity team, which is led by our CISO , oversees the Company’s cybersecurity and data security operations, programs, policies and processes and their general effectiveness. The cybersecurity team, in coordination with other Incident Response Team members, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents. The Company’s Incident Response Team consists of our CISO and other senior leaders from the Company’s cybersecurity (composed of information security and technology operations), compliance, legal, financial reporting and other key business and corporate functions. The CISO and other Incident Response Team members monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in accordance with the incident response plan. The team is also responsible for informing and coordinating with the Company’s Disclosure Committee in timely reporting such incidents, as appropriate and depending on the severity of the incident, and facilitating updates to the Strategy Board (consisting of our CEO, Chief Financial Officer (CFO), General Counsel, CIO and other members of management), Audit Committee and Board regarding such incidents until addressed. We have experienced leaders responsible for assessing and managing risks arising from cybersecurity threats. Our CISO reports to the CIO and has served in various roles in information technology and information security for over 29 years, including most recently leading the Information Security Office of BorgWarner Inc. He holds a Bachelor of Science in Physics. The Company’s CIO reports to our CEO and has served in various roles in information technology and information security for over 26 years, including CIO of Gentherm Incorporated immediately prior to joining the Company. Our CIO holds a Bachelor of Science in Business, with a concentration in Computer Information Systems, and an MBA in Finance and Strategic Management. He is also a Digital Directors Network (DDN) Boardroom Certified Qualified Technology Expert (QTE). In addition, the Company’s CEO, CFO and General Counsel each have experience overseeing the management of cybersecurity and other risks similar to those impacting the Company’s business.

Company Information