Alcoa Corp 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Alcoa Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:57:42 EST.

Filings

10-K filed on 2025-02-20

Alcoa Corp filed a 10-K at 2025-02-20 16:57:42 EST
Accession Number: 0000950170-25-024242

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company’s processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall Enterprise Risk Management (ERM) process. As part of the ERM, the Company focuses on developing multi-layered, collaborative processes to identify, monitor, and manage risks from cybersecurity threats. Risks are grouped into categories that management can then assess, monitor, and prioritize based on the likelihood of an occurrence, level of impact, and mitigating factors. Our various cybersecurity risk management processes apply to various functions, including but not limited to, third-party suppliers and vulnerability management. We employ processes and technologies to bring visibility to, and protect against, cybersecurity risk, to include real time monitoring of network traffic and email. The Company also has a comprehensive body of policies and standards for assessing, identifying, and managing material risks from cybersecurity threats, including an incident response plan, business continuity plan, crisis management plan, as well as disaster recovery mechanisms, which are tested and updated. Additionally, the Company employs staff that are specifically dedicated to raising cybersecurity awareness and training within the organization. The Company engages third-party assessors , consultants, and auditors to assist in assessing, identifying, and managing risk from cybersecurity threats. Third parties assist the Company by (i) providing regular penetration testing and vulnerability assessments; (ii) assessing and maintaining our formal incident response policies, including the use of tabletop testing; and (iii) providing multiple sources of threat intelligence information that are fed directly into our technical security platforms and our awareness campaigns, including ongoing network monitoring. The Company also has a comprehensive third-party information security audit program in place. Alcoa has implemented processes designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to a security risk assessment prior to engagement to determine if they meet defined levels of security capabilities. Our master services agreements with third-party service providers generally carry a number of security requirements, including audit rights for the Company. After engagement, third-party service providers are subject to audits in which contract owners within Information Technology Automation Solutions (ITAS) validate that any certifications a vendor had upon engagement are maintained throughout the life of the agreement. We have in the past experienced attempts and incidents by external parties to penetrate our, our service providers’, and our business partners’ networks and systems. Such attempts and incidents to date have not had a material adverse effect on our business, financial condition, or results of operations. See Part I Item 1A of this Form 10-K for more information on risks. Governance The Alcoa Board of Directors (Board), in coordination with the Audit Committee , is responsible for the oversight of our cybersecurity risk management program, and specifically, reviews and oversees the Company’s risk management and strategy relating to cybersecurity, including cybersecurity developments and threats and the Company’s process for assessing, managing, and mitigating material cybersecurity risks and threats. The Audit Committee and the Board receive regular updates regarding the state of the Company’s cybersecurity program, cybersecurity developments, and emerging threats. The Chief Information Security Officer (CISO) and the Chief Information Officer (CIO) regularly update the Audit Committee and the Board regarding the Company’s strategy to mitigate cybersecurity risks, which includes regular vulnerability assessments and employee training on cybersecurity matters. Alcoa’s CISO is responsible for maintaining identified material cybersecurity risks within the Company’s ERM platform. On a quarterly basis, the CISO reviews and updates risks, as well as the control procedures in place. These risks are regularly reported to the Audit Committee and Board. Alcoa’s CISO has thirty years of experience in information technology, including over fifteen years in cybersecurity, and prior to joining Alcoa, was the CISO of the U.S. business of a large global insurance and asset company and was responsible for the security of data, systems, and processes supporting customer assets. Alcoa’s CISO maintains professional certifications in information security, participates in intelligence sharing organizations, and has extensive cybersecurity risk management experience in manufacturing organizations and reports to the CIO. Alcoa’s CIO has almost thirty years of information technology experience, including a diverse knowledge in manufacturing and process control solutions, corporate applications, infrastructure, and service delivery operations. The CISO closely collaborates with the CIO and Chief Financial Officer (CFO) in managing material risks from cybersecurity threats. Alcoa also maintains an information security steering committee (ISSC), which oversees current and emerging cybersecurity risks and investments in the cybersecurity risk protections for the Company. The steering committee is comprised of a cross-functional team of leaders from across Alcoa’s business groups, including the CISO (the ISSC Chair) and CIO. 31 The Company has established comprehensive incident response plans that set forth the processes through which cybersecurity incidents are managed, including how management is informed of cybersecurity incidents. As part of these plans, incidents are evaluated, classified, and elevated to an executive team which includes the CISO and executives on the Crisis Response Team. Once elevated, these executives are ultimately responsible for the management, mitigation, and remediation of incidents.

Company Information