CONSTELLIUM SE 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

CONSTELLIUM SE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 07:44:35 EST.

Filings

10-K filed on 2025-02-28

CONSTELLIUM SE filed a 10-K at 2025-02-28 07:44:35 EST
Accession Number: 0001563411-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity. We may be exposed to fraud, misconduct, corruption, or other illegal activity which could harm our reputation and our financial results. We may be exposed to fraud, misconduct, corruption or other illegal activity by our employees, independent contractors, consultants, commercial partners, and vendors. Despite the internal controls and the policies and procedures we have developed and implemented to ensure strict compliance with anti-bribery, anti-money laundering, anti-corruption and other laws, violations or misconduct by these parties could include intentional, reckless, and negligent conduct, which can be difficult to detect, and such policies and procedures may not be effective in all instances to prevent these actions. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Process We have established a cybersecurity risk management process that aims to identify, assess, mitigate, monitor, and report on the IT risks and cybersecurity threats that may affect our business objectives, performance, reputation, and compliance. We conduct an overall annual cybersecurity risk assessment to identify and prioritize the IT risks that may impact our business strategy, results of operations, and financial condition. We have processes and controls that help prevent, detect, and recover from security incidents and we also perform regular security assessments to test the resilience of our IT systems and networks against potential attacks and vulnerabilities. Our employees are provided awareness training on a regular basis to help them identify, avoid, mitigate, and report cybersecurity threats. We use security assessments, penetration testing, and table-top or red teaming exercises with third parties to assess our security posture and to continuously improve our processes. We also use our Internal Audit function to conduct additional reviews and assessments. Our third-party service providers are subject to security risk assessments at the time of onboarding, on a continuous basis and upon detection of an increase in risk profile. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and to investigate security incidents that have impacted such providers, as appropriate. 23 Management Our Chief Information Officer/Chief Digital Officer (“CIO/CDO”), together with the Company’s security team, is responsible for assessing, monitoring, and managing our cybersecurity risks. Our CIO/CDO has significant experience in IT security, information security, and cybersecurity having served in a variety of senior roles at the Company prior to serving as CIO/CDO. Our CIO/CDO also has experience with implementing various security and infrastructure transformation and improvement programs. The Company has an Enterprise Risk Management (“ERM”) Committee and process in place that reviews and evaluates the overall risks to the Company, including its cybersecurity risks. The ERM process has the input of senior management and other internal stakeholders, and the cybersecurity risk management process is incorporated into our ERM review. Cybersecurity risks to the Company are reviewed, evaluated, and discussed on a quarterly basis and, when necessary, on an ad-hoc basis with our Executive Committee and other members of the management team. We maintain controls and procedures that are designed to ensure prompt review and escalation of certain cybersecurity incidents so that decisions regarding reporting and public disclosure of such incidents can be made in a timely manner to comply with cybersecurity incident reporting requirements. Board Our Board, in coordination with the Audit Committee, oversees the management of the Company’s cybersecurity program and risks from cybersecurity threats. Our Audit Committee receives annual reports on cybersecurity risks resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. The CIO/CDO also informs the Audit Committee on the prevention, detection, mitigation, and remediation of cybersecurity incidents, including significant security risks and information security vulnerabilities. The Audit committee reports any significant matters to the Board. Risks We rely on our IT systems to effectively manage and operate our business, including such processes as data collection, accounting, financial reporting, communications, supply chain, order entry and fulfillment, other business processes, and in operating our equipment. A cybersecurity incident could disrupt our business and could result in transaction errors, processing inefficiencies, limited equipment utilization, the loss of sales, customers, or intellectual property, causing our business and financial results to suffer. Although such risks have not materially affected our business, financial conditions, results of operations or reputation to date, we have, from time-to-time experienced cybersecurity incidents in the normal course of business. For more information regarding the risks we face from cybersecurity threats, please see “Item 1A. Risk Factors” .
Item 1C. Cybersecurity. Process We have established a cybersecurity risk management process that aims to identify, assess, mitigate, monitor, and report on the IT risks and cybersecurity threats that may affect our business objectives, performance, reputation, and compliance. We conduct an overall annual cybersecurity risk assessment to identify and prioritize the IT risks that may impact our business strategy, results of operations, and financial condition. We have processes and controls that help prevent, detect, and recover from security incidents and we also perform regular security assessments to test the resilience of our IT systems and networks against potential attacks and vulnerabilities. Our employees are provided awareness training on a regular basis to help them identify, avoid, mitigate, and report cybersecurity threats. We use security assessments, penetration testing, and table-top or red teaming exercises with third parties to assess our security posture and to continuously improve our processes. We also use our Internal Audit function to conduct additional reviews and assessments. Our third-party service providers are subject to security risk assessments at the time of onboarding, on a continuous basis and upon detection of an increase in risk profile. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and to investigate security incidents that have impacted such providers, as appropriate. 23 Management Our Chief Information Officer/Chief Digital Officer (“CIO/CDO”), together with the Company’s security team, is responsible for assessing, monitoring, and managing our cybersecurity risks. Our CIO/CDO has significant experience in IT security, information security, and cybersecurity having served in a variety of senior roles at the Company prior to serving as CIO/CDO. Our CIO/CDO also has experience with implementing various security and infrastructure transformation and improvement programs. The Company has an Enterprise Risk Management (“ERM”) Committee and process in place that reviews and evaluates the overall risks to the Company, including its cybersecurity risks. The ERM process has the input of senior management and other internal stakeholders, and the cybersecurity risk management process is incorporated into our ERM review. Cybersecurity risks to the Company are reviewed, evaluated, and discussed on a quarterly basis and, when necessary, on an ad-hoc basis with our Executive Committee and other members of the management team. We maintain controls and procedures that are designed to ensure prompt review and escalation of certain cybersecurity incidents so that decisions regarding reporting and public disclosure of such incidents can be made in a timely manner to comply with cybersecurity incident reporting requirements. Board Our Board, in coordination with the Audit Committee, oversees the management of the Company’s cybersecurity program and risks from cybersecurity threats. Our Audit Committee receives annual reports on cybersecurity risks resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. The CIO/CDO also informs the Audit Committee on the prevention, detection, mitigation, and remediation of cybersecurity incidents, including significant security risks and information security vulnerabilities. The Audit committee reports any significant matters to the Board. Risks We rely on our IT systems to effectively manage and operate our business, including such processes as data collection, accounting, financial reporting, communications, supply chain, order entry and fulfillment, other business processes, and in operating our equipment. A cybersecurity incident could disrupt our business and could result in transaction errors, processing inefficiencies, limited equipment utilization, the loss of sales, customers, or intellectual property, causing our business and financial results to suffer. Although such risks have not materially affected our business, financial conditions, results of operations or reputation to date, we have, from time-to-time experienced cybersecurity incidents in the normal course of business. For more information regarding the risks we face from cybersecurity threats, please see “Item 1A. Risk Factors” .

Company Information