CELESTICA INC 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

CELESTICA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 08:17:29 EST.

Filings

10-K filed on 2025-03-03

CELESTICA INC filed a 10-K at 2025-03-03 08:17:29 EST
Accession Number: 0001030894-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity 44 Risk Management and Strategy We prioritize the effective management of cybersecurity risks through a strategy focused on identifying, assessing, and responding to cybersecurity vulnerabilities, threats and incidents. Our primary objectives are to safeguard information assets, prevent their misuse or loss, and minimize business disruptions, through a comprehensive cybersecurity program intended to detect, analyze, contain and address cybersecurity risk exposures, threats and incidents. Our Board has oversight of our strategic and business risk management, including cybersecurity risk management, with support from our Audit Committee (described under “Governance” below). The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which we are exposed and to implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. We use various processes to inform our assessment, identification and management of risk from cybersecurity threats, including technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. Key areas of our cybersecurity risk management processes and strategy include the following: Multidisciplinary Coordination : Our IT Security Team, which includes IT Site Managers, an IT Risk & Compliance Team, a Global Information Security Team and Cybersecurity Incident Managers, has first-line responsibility for our cybersecurity risk management processes, and is responsible for implementing cybersecurity policies, procedures and strategies. This team is led by our Vice President, Security, Infrastructure & Site IT (VP Security), who reports to our Chief Information Officer (CIO), who in turn reports to our Chief Operations Officer (COO). The IT Security Team is subject to oversight from several cross-functional teams, including our Executive Leadership Team, our IT Security Council and our Compliance Council. Our IT Security Council, a global IT security strategy team, meets monthly to discuss IT security roadmaps and strategies, control enhancements, compliance matters and customer requirements. Our Compliance Council includes representatives from, among others, our legal, compliance, ethics, internal audit, operations, security, and supply chain teams to assess the Company’s risk exposures, mitigation strategies and policies, and meets quarterly to discuss risks, policies and compliance issues, including with respect to cybersecurity. Internal Audit : Our Internal Audit department performs audits, and our IT Risk and Compliance Team, which reports to the VP Security, monitors certain IT systems controls that are integrated into our larger internal control environment. Cyber Incident Response : We maintain a cross-functional cyber incident response plan with defined roles, responsibilities and reporting protocols, which is evaluated and tested on a regular basis. The Company has a process for employees to report suspected or confirmed cybersecurity threats or incidents. Generally, if a suspected or confirmed breach is identified, a Cybersecurity Incident Manager from the Global Information Security Team is assigned to evaluate and escalate the issue as needed to the VP Security. The Company’s response to cybersecurity incidents (which includes prompt steps to protect our systems and information by containing and mitigating the impact of any incident) is managed by the VP Security, in consultation with the CIO, and when appropriate, with the CFO, COO, CEO and our Chief Legal Officer. These leaders will assess the materiality of a particular incident (alone or in combination with other factors), and the Chief Legal Officer will determine whether any reporting or notification responsibilities have been triggered. The CEO is responsible for informing our Board and the Audit Committee regarding any significant incidents, and coordinates management’s recommendations concerning materiality. Continuous Evaluation : We update our information security management system periodically and employ standards and frameworks as we deem necessary to assist us in monitoring compliance with regulatory, industry and evolving data privacy requirements. In addition, we monitor our IT systems and processes on an ongoing basis with the goal of identifying and remediating real and potential threats as they arise. We adjust our systems, procedures and policies regularly as we deem necessary in response to identified threats and risks. Training : We provide cybersecurity and information security compliance training for our employees once per year, track completion, and require attestations. We conduct monthly mock phishing attacks to all employees, and cater training specifically to our needs, based on industry trends and potential threats. Select members of our IT Security Team participate in security training focusing on emergency preparedness and remediation, including annual table top exercises to test our security protocols and response times. 45 Outside Consultants : Third party experts are engaged to conduct National Institute of Standards and Technology (NIST) CSF (Cyber Security Framework) Audits to measure the Company’s cybersecurity maturity level, in addition assistance with our cybersecurity risk management and strategy. Other third-party providers provide us with ongoing assistance including threat monitoring, mitigation strategies, and updates on emerging security trends and developments while we have others engaged on retainer to provide targeted assistance forensic expertise as needed. Monitoring of Third Parties : In 2023, we implemented a Third-Party Risk Management Program to perform IT security controls assessments for our third-party suppliers and vendors and measure the IT security rating of Celestica and these entities through an external security rating solution platform. Through this program, our IT Risk and Compliance team assesses, monitors, and mitigates potential cybersecurity risks from our third-party suppliers and vendors. In addition, an external service is used to assess the cybersecurity risk rating of third party suppliers and vendors. Certification s: Certain of our manufacturing sites are certified to ISO27001 (an international standard focused on information security), and we continue to perform assessments of our A&D sites and systems that support A&D data under U.S. NIST 800-171 Enhanced Cybersecurity Measures for Government Contractors. While we have invested, and continue to invest, in the protection of our data and IT infrastructure, we regularly face attempts by others to access our information systems in an unauthorized manner, to introduce malicious software to such systems or both, and while we have not been materially impacted by computer viruses, malware, ransomware, hacking incidents, outages, or unauthorized access to data, we have been (and may in the future be) the target of such events. However, to date, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected the Company, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see Item 1A, Risk Factors - " Our operations and our customer relationships may be adversely and materially affected by disruptions to our IT systems, including disruptions from cybersecurity breaches of our IT infrastructure " in this Annual Report. Governance As part of its oversight responsibilities, which include the identification of the principal risks of the business and ensuring the implementation of appropriate systems to manage such risks, the Board devotes significant time and attention to information security and risk management, including cybersecurity, and regulatory compliance, supported by the Audit Committee. The Audit Committee is responsible for evaluating Celestica’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The Audit Committee’s Mandate also requires it to discuss guidelines, policies and steps to govern the process by which risk assessment and management is undertaken (including risks related to information security, cybersecurity and data protection) and the establishment and management of appropriate systems to manage such risks. The Audit Committee reviews cybersecurity risks through quarterly reports from management, and monitors the status of existing information security controls and practices to mitigate the potential risk from evolving cybersecurity threats. In addition, in accordance with its Mandate, the Board receives a quarterly report from management regarding the principal risks inherent in the business of the Corporation, including appropriate crisis preparedness, business continuity, information system controls, cybersecurity and information security, and disaster recovery plans. These reports address a range of topics, including industry trends, benchmark and assessment reports, information security projects and updates on cyber related metrics, technology modernization, policies and practices, and specific and ongoing efforts to prevent, detect, and respond to internal and external critical threats. 46 Management’s role : Our IT Security Team is composed of several support teams (including our IT Site Managers, our Cybersecurity Incident Managers, our Global Information Security Team, and our IT Risk and Compliance Team) that address and respond to cybersecurity risks and incidents, including risks related to security architecture and engineering, identity and access management and security operations. As noted above, our IT Security Team is led by our VP Security , who has 15 years of experience in leading global security and compliance functions and strategies and holds several certifications including Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified Information Security Manager (CISM). Our CIO has 20 years of experience in leading security, compliance and digital forensics functions. Collectively, the other members of our IT Security Team have decades of relevant education and experience and maintain a wide range of industry certifications. In addition, we invest in regular, ongoing cybersecurity training for our IT Security Team. Risks are updated by management each quarter, based on findings from external assessments and internal cybersecurity metrics. Management (including our VP of Internal Audit) reports quarterly to the Audit Committee on information security. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives intended to bolster our security systems and the cyber readiness of our personnel. Management takes several steps intended to mitigate the impact of cybersecurity and information security risks and incidents, including an annual management risk assessment (including cybersecurity risk), continued enhancement of information security and data loss prevention controls, maintenance of a robust crisis response plan, engaging an external consultant (described above), and ensuring that the Company maintains cybersecurity insurance coverage deemed appropriate. Management oversight procedures include: (i) a methodology to ensure cybersecurity events are promptly escalated and that appropriate internal and external reporting occurs; (ii) a monthly Information Security Governance Council meeting with site IT managers; and (iii) quarterly meetings between senior executives and our Internal Audit department to discuss the outlook for the following year, focusing on the current risk environment. 47

Company Information