CANADIAN PACIFIC KANSAS CITY LTD/CN 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

CANADIAN PACIFIC KANSAS CITY LTD/CN reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 11:24:45 EST.

Filings

10-K filed on 2025-02-27

CANADIAN PACIFIC KANSAS CITY LTD/CN filed a 10-K at 2025-02-27 11:24:45 EST
Accession Number: 0000016875-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management CPKC’s cybersecurity risk management program is an integrated and essential component of the Company’s overall risk management strategy. Through its Security Management Plan, CPKC maintains a comprehensive, risk-based plan that is modelled on and was developed in conjunction with the security plan prepared by the Association of American Railroads post-September 11, 2001. This plan also covers regulatory requirements such as TSA Cyber Security Directives and auditing requirements. Under this plan, the Company routinely examines and prioritizes cyber vulnerabilities and threats while also testing and revising protective measures for its assets and operations, both physical or cyber. Likewise, the Company’s cybersecurity risk management program entails real-time review and monitoring of CPKC’s cyber-risk exposures and implements strategic processes to manage those risks. The Company’s cybersecurity program utilizes the National Institute of Standards and Technology Cybersecurity Framework as its foundation. Accordingly, CPKC’s program includes periodic risk assessments, penetration testing by a third-party, audit participation, employee and contractor training, and the implementation of technologies to assist in mitigating cybersecurity risks and harms. Incident response procedures, including escalation procedures, are designed, implemented, and periodically tested to assist the Company in detecting, responding to, and recovering from a potential cybersecurity incident, and making any timely notification or disclosure that may be required under the circumstances. The Company scopes the third-party penetration tests as real-world attacks against perimeter defenses and internal processes such as social engineering and phishing. The Company’s cybersecurity risk management program also includes ongoing threat research and analysis conducted with the assistance of third parties, including on emerging threat attack vectors, tactics, actors and motivations. The Company also engages in ongoing network monitoring and has implemented a vulnerability management and patching program. Further, CPKC employs structured vetting and ongoing risk management processes to identify and mitigate cyber risks associated with the use of third-party service providers, including specifically in the area of technology. To date, risks arising from cybersecurity threats have not materially affected the Company, its results of its operations, or its financial condition. However, the Company also recognizes the reality of the ever-evolving cyber risk landscape faced by industries and businesses across the world. Depending on their source and nature, cyber incidents could in the future materially affect CPKC and its operations, and financial condition. See “Risk Factors” in Part I, Item 1A of this Form 10-K for further information about information and cybersecurity risk. 24 / CPKC 2024 ANNUAL REPORT Governance and Oversight The Board of Directors oversees the work of all its committees, including the Audit and Finance Committee. The Audit and Finance Committee is responsible for, among other things, overseeing the Company’s financial disclosures and its internal and external audit functions, maintaining the integrity of financial reporting and internal controls, and providing stewardship and guidance to management in its approach to the assessment and mitigation of cybersecurity risks. The Chief Information Officer (“CIO”) provides annual and periodic updates to the Audit and Finance Committee and the Board of Directors on cybersecurity risks and the Company’s strategy for mitigating such risks. Additionally, the Chief Information Security Officer (“CISO”) briefs the Audit and Finance Committee periodically. The Audit and Finance Committee also receives updates on information systems and cybersecurity audit and advisory engagements from the Chief Internal Auditor. The CISO reports directly to the CIO and is responsible for: - Overseeing and implementing CPKC’s cybersecurity strategy; - Aligning cybersecurity objectives with the overall business objectives; - Ensuring compliance with regulatory directives related to cybersecurity; - Promoting a cybersecurity culture through comprehensive awareness and training programs; and - Managing and coordinating incident response activities. The Company’s cybersecurity risk management program is supervised by the Managing Director of Enterprise Security who reports directly to the CISO. The CIO and CISO regularly update senior leadership and the executive committee on cybersecurity risks. The CISO, CIO, and certain members of their management team who are involved in implementing the Company’s cybersecurity program possess expertise in cybersecurity risk management. Our CISO and CIO each have many years of experience in designing and implementing cybersecurity frameworks and working to mitigate cyber threats. Among other qualifications, certain members of the CISO’s and CIO’s management team also have certifications as a CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager).

Company Information