AMERICAN AXLE & MANUFACTURING HOLDINGS INC 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

AMERICAN AXLE & MANUFACTURING HOLDINGS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 13:09:47 EST.

Filings

10-K filed on 2025-02-14

AMERICAN AXLE & MANUFACTURING HOLDINGS INC filed a 10-K at 2025-02-14 13:09:47 EST
Accession Number: 0001062231-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We rely upon information technology (IT) networks and systems to process, transmit and store electronic information, and to manage or support a variety of critical manufacturing and business processes or activities. Additionally, we and certain of our third-party vendors collect and store personal or confidential information, including personally identifiable information, in connection with human resources operations and other aspects of our business. The secure operation of these information technology networks and systems and the proper processing and maintenance of this information are critical to our manufacturing and business operations. We have developed and implemented our Information Security Management System (ISMS), which includes robust processes for identifying, assessing and managing risks from cybersecurity threats. Cybersecurity risk is included in AAM’s “Top Risks Assessment” under our enterprise risk management program as identified and monitored by our Risk Management Working Group. This group is comprised of leadership from the major functions within AAM and the enterprise risk management program includes the identification and continuous evaluation of the risks associated with the systems and information most critical to AAM and the processes and controls in place to protect the systems and information. Our ISMS leverages comprehensive cybersecurity frameworks and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Center for Internet Security (CIS) Critical Security Controls, the Trusted Information Security Assessment Exchange (TISAX) standard, and the International Organization for Standardization (ISO) 27001 standard for information security. Our ISMS is built upon a balance of people, processes and technologies comprised of, among other elements: 1) 24/7 security monitoring using internal and third-party resources; 2) security awareness and phishing testing; 3) periodic table-top and live-fire exercises; 4) high system availability and business continuity; and 5) comprehensive incident response and escalation plans. Further, in support of our ISMS, we utilize certain third-party service providers, primarily in the following capacities: 1) incident response partners that assist with performing incident simulations and who are available to assist in the event of an actual cybersecurity incident; 2) third-party experts to conduct penetration testing on AAM systems and certain third-party systems, as necessary; and 3) leveraging third-party expertise to assist with testing IT controls and performing gap analysis over IT processes and procedures. AAM’s Chief Information Security Officer (CISO) manages and monitors these third-party service provider relationships and works closely with AAM’s information security, procurement, legal and internal audit departments to ensure proper evaluation and security assessment of critical third-party service providers and data processors. 25 Cybersecurity Governance The AAM Information Security Council (ISC), comprised of leadership representatives from across the organization, meets periodically to discuss current threats and trends and the resulting information security initiatives and priorities. The ISC members provide support for policy changes and insights into how the information security team can most effectively educate, communicate, and support AAM. The ISC is led by AAM’s Chief Information Officer (CIO) and CISO, our frontline business leaders with regard to cybersecurity risk management. AAM’s CIO has been an IT professional in various capacities for over 25 years and maintains the following certifications: Certified CISO, Certified Information Systems Security Professional, Certified Cloud Security Professional, and Certified Information Privacy Technologist. Our Board of Directors and its committees play an active role in overseeing our key risks. Our cybersecurity risk management processes and strategy are governed by the Audit Committee of our Board of Directors. Management provides quarterly reports to the Audit Committee that include, among other items: 1) AAM’s cybersecurity scorecard, which includes certain key performance indicators (KPIs) and provides quantitative measures of these KPIs; 2) industry security trends and outlook; 3) an update on AAM’s security program and roadmap; 4) current quarter IT security accomplishments; and 5) IT security priorities for the following quarter. In addition, on an annual basis, management reports to the Audit Committee the results of our system availability and disaster recovery testing for AAM’s enterprise systems, as well as the results of our incident response testing and corresponding action plans. Although no cybersecurity incidents during the year ended December 31, 2024 had a material impact on our strategy, financial condition or results of operations, the scope and impact of any future incident cannot be predicted. See Item 1A. Risk Factors for additional discussion regarding AAM’s IT and cybersecurity risks. 26

Company Information