CF Industries Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

CF Industries Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:11:40 EST.

Filings

10-K filed on 2025-02-20

CF Industries Holdings, Inc. filed a 10-K at 2025-02-20 16:11:40 EST
Accession Number: 0001324404-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity risk management, including our processes for assessing, identifying and managing material risks from cybersecurity threats, is an integral part of our overall enterprise risk management (ERM) program. The ERM program includes an annual assessment process designed to identify risks, including those from cybersecurity threats, that could affect achievement of our business, operations and strategic objectives and to understand, assess, and prioritize those risks. The ERM program also intends to facilitate the implementation of risk management strategies and risk mitigation processes across the Company that are responsive to the Company’s risk profile, overall business strategies, and specific material risk exposures. The ERM program seeks to integrate consideration of risk and risk management into business decision-making throughout the Company, including through the implementation of policies and procedures intended to ensure that necessary information with respect to material risks, including material risks from cybersecurity threats, is appropriately communicated to senior executives and the Board of Directors (Board) or relevant committees. The Board regularly reviews and discusses with members of management responsible for risk management the guidelines and policies governing the ERM process. This includes the key risks identified in the ERM process, the likelihood of occurrence and the potential impact assigned to those risks by management, in addition to the risk mitigation strategies in each instance. The Audit Committee of the Board oversees management’s cybersecurity risk management efforts. Our chief information officer oversees information technology, cybersecurity risk and efforts to prevent and mitigate such risks. The Audit Committee receives periodic reports summarizing threat detection and mitigation plans, audits of internal controls, summaries of training activities and certification achievements, assessments of cybersecurity program effectiveness and reports on other cybersecurity priorities and initiatives. This is in addition to management’s periodic updates on cybersecurity incidents involving the Company or other industry and global participants. The Audit Committee also receives regular updates on the efficacy of our cybersecurity program and risk management from our chief information officer and other members of management that are tasked with monitoring cybersecurity risks. Our chief information officer has over 10 years of experience overseeing cybersecurity teams at both the Company and two other public companies. Our chief information officer is supported by a dedicated team of certified cybersecurity professionals, with an average of over 13 years of relevant experience . Our cybersecurity strategy prioritizes governance, protection, detection, analysis, and response to known, anticipated, or unexpected cyber threats, effective management of cyber risks and resilience against cyber incidents. We maintain a formal cybersecurity program structured around the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), a voluntary framework created by industry and the U.S. government to promote the protection of our infrastructure from cybersecurity risks. We contract with an external auditing firm to assess our cybersecurity controls relative to industry peers using the NIST CSF, which has six functions: govern, identify, protect, detect, respond and recover. We consistently evaluate the threat landscape, adopting a multifaceted approach to cybersecurity risks that through a zero trust strategy focusing on prevention, detection, and mitigation, which includes the following programs and practices: - Our cybersecurity team conducts an annual review of cybersecurity risks at the ERM level, integrating significant cybersecurity risks into our overall ERM program. We remain committed to increasing investments in cybersecurity, which includes providing additional training for end-users, adopting a zero trust methodology, identifying and safeguarding critical assets, and reinforcing monitoring and alerting capabilities. Our proactive approach involves regular testing of defenses through simulations and penetration tests, both technically and through a comprehensive review of operational policies and procedures. At the managerial level, our cybersecurity team consistently monitors alerts and holds regular meetings to discuss threat levels, trends, and remediation strategies. Additionally, we conduct periodic external penetration tests and maturity testing to assess the effectiveness of our security controls, including processes, procedures, and our readiness to face the evolving threat landscape. - We consider and assess the cybersecurity risks associated with the utilization of third-party service providers, including cybersecurity vendors, consultants, and auditors, under our third-party risk management program. Pursuant to the program, we evaluate security and data privacy controls prior to sharing or authorizing the hosting of sensitive data in computing environments managed by third parties. In addition, our standard terms and conditions with third-party service providers feature contractual provisions mandating specific security protections. - Our cybersecurity incident response plan is designed to detect and address potential threats that may impact the confidentiality, integrity, and availability of our technology systems. The response plan includes coordinated processes for handling security and data privacy incidents, encompassing communication and effective response, and as appropriate, escalation to the Audit Committee or the Board. CF INDUSTRIES HOLDINGS, INC. - Our global business continuity program includes information technology disaster recovery, supporting resilience in both our business and information technology. To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or that we believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition. We cannot, however, eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, see the disclosure in Item 1A. Risk Factors under “Operational Risks-Failure, inadequacy, breach of, or unauthorized access to, our information technology systems or those of third-party service providers or customers could negatively affect our business and operations.”

Company Information