BALL Corp 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

BALL Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 11:12:47 EST.

Filings

10-K filed on 2025-02-20

BALL Corp filed a 10-K at 2025-02-20 11:12:47 EST
Accession Number: 0001558370-25-001190

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurit y Risk management and strategy Ball Corporation is committed to maintaining a strong cybersecurity posture. We have a dedicated, globally distributed information security team that is responsible for leading information security strategy, standards and processes, which are integrated into our comprehensive enterprise risk management process, including processes related to cybersecurity risks. The company employs a standards-based cybersecurity program aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), including ongoing assessment and continuous improvement to address the rapidly evolving threat landscape. Ball partners closely with a strong network of external partners, including conducting annual assessments of the cyber risk management program against the NIST CSF. Our information security team has established and implemented formal processes and policies to assess, identify, and manage risks arising from cybersecurity threats, including those associated with our internal operations and the use of third-party service providers. We continually refine our approach to address evolving cybersecurity regulations, identify potential and emerging security risks, and implement strategies to manage these risks. Ball has developed an incident response plan that includes a cyber incident materiality assessment with appropriate leadership governance. In addition, we have aligned our incident response plan with our enterprise risk and global crisis management processes. In response to the ever-evolving cyber threat landscape, Ball utilizes external experts to support continuous improvement across our cyber program, processes and operations. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on cyber enhancements. In addition, we also augment and extend our cyber team using a select few trusted third-party partners that are integrated as members of our global operations. This provides us with expanded global threat intel and enhances our ability to deliver continuous global cyber operations 24/7. We are aware that there are potential cybersecurity risks associated with third-party service providers. Prior to engaging with third-party providers, Ball conducts thorough security assessments. We monitor for third-party cyber incidents and manage any third-party cyber incidents under our incident response plan and processes. Our oversight of third-party cyber risk aids our ability to lessen and mitigate impacts related to data breaches and other security incidents originating from third-parties. Ball faces risks from cybersecurity threats that could have a material adverse effect on the company, including its business strategy, results of operations, financial condition and reputation. Refer to Item 1A, Risk Factors - Technological Risks, for additional details on cybersecurity risks that could potentially materially affect the company, including its business strategy, results of operations, financial condition and reputation. To date, we have not identified any cybersecurity incidents that have affected, or are reasonably likely to affect, our business, operations, or financial condition. Governance Ball’s Chief Information Security Director (CISD) reports to the Senior Vice President and Chief Information Officer (CIO) and leads the company’s cybersecurity team. The CISD is responsible for overseeing cybersecurity , including assessing and managing cybersecurity risk, and together with the CIO, providing comprehensive briefings to the executive leadership team with respect to the cybersecurity program and emerging or potential cybersecurity risks . The cybersecurity team has extensive experience selecting, deploying, and operating cybersecurity technologies, strategies and processes, and couples this knowledge with the use of external experts to protect the company from cyber threats. In the event of a cyber incident, our cross-functional response team will enact our incident response plan, and notify appropriate levels of management, including the executive leadership team, disclosure committee, and Board of Directors, as appropriate. Our Board of Directors oversees our company’s cybersecurity and information technology strategies. Annually, the CIO briefs the Board of Directors on the company’s cybersecurity posture and the effectiveness of its risk management strategies .

Company Information