Smurfit Westrock plc 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

Smurfit Westrock plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 06:21:17 EST.

Filings

10-K filed on 2025-03-07

Smurfit Westrock plc filed a 10-K at 2025-03-07 06:21:17 EST
Accession Number: 0002005951-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We face various cybersecurity risks, including, but not limited to, risks related to unauthorized access, misuse, data theft, computer viruses, system disruptions, ransomware, malicious software and other intrusions. We utilize a multilayered, proactive approach to identify, evaluate, mitigate and prevent potential cyber and information security threats through our cybersecurity risk management program. Our cybersecurity risk management program is integrated into our broader Enterprise Risk Management (“ERM”) program, which is designed to identify, assess, prioritize and mitigate risks across the organization to enhance our resilience and support the achievement of our strategic objectives . This integrated approach helps safeguard that cybersecurity risks are not viewed in isolation, but are assessed, prioritized and managed in alignment with the Company’s operational, financial and strategic risks, assisting the Company in more effectively managing interdependencies among risks and enhancing risk mitigation strategies. There are also processes, policies, procedures, operations, technologies and systems in place within our cybersecurity risk management program that pertain to legacy companies as a result of our Combination. Though these remain to be fully integrated as part of the Combination, such integration will be a major focus over the year. Cybersecurity risk measures or governance described herein apply to our whole Company, unless otherwise specified. 46 We devote resources to protecting the security of our computer systems, software, networks, data, and other technology assets. The Company follows cybersecurity control frameworks based on industry standards. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident originating from a third-party vendor, service provider or customer. We have cybersecurity architecture practices in place to promote robust architecture design in our technology and to foster a standardized security landscape. We have security operations teams that provide 24/7 monitoring of our IT environment for any indications of compromise and incident response processes to react as necessary. In addition to our internal cybersecurity capabilities, we also regularly engage other third-party specialists to assist with independent reviews of our security posture. For instance, external penetration testing is completed on an annual basis by specialist third-parties . As part of our overall risk mitigation strategy, the Company also maintains cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cybersecurity incidents and other related breaches. We deliver cybersecurity courses and awareness training on information security to our employees with access to Company email or devices at least annually. Additional cybersecurity trainings are made available for all employees throughout the year, including phishing, social engineering and other cybersecurity training as well as targeted training for specific roles based on responsibilities and risk level. The Company has cybersecurity teams and incident response processes focusing on industry standard incident response stages, such as investigation, containment, mitigation, and recovery. These processes provide a standardized approach when responding to cybersecurity threats or security incidents and include procedures for communication with senior management and key stakeholders, as appropriate. Our incident response processes align with National Institute of Standards and Technology (“NIST”) standards and are tested via externally led tabletop exercises, at least annually. In the event of an incident, the cybersecurity team assesses, among other factors, supply chain disruption, data and personal information loss, business operations disruption, and projected cost and potential for reputational harm, with participation from senior management, technical staff, and legal support, as appropriate. As part of the annual cybersecurity awareness training program, employees are informed of their responsibilities to report an incident to the cybersecurity team, supporting awareness of the importance of incident response across the Company’s workforce. In order to oversee and identify risks from cybersecurity threats associated with the Company’s business partners, as well as our use of third-party service providers, we maintain various processes and procedures to evaluate and/or monitor cybersecurity threats associated with third parties. We have information technology disaster recovery plans in place which are regularly tested. Additionally, we have business continuity processes in place. Cybersecurity threats are constantly expanding and evolving, becoming increasingly sophisticated and complex, increasing the difficulty of detecting and defending against them and maintaining effective security measures and protocols. Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents, and the Company has been and continues to be the target of cybersecurity incidents and network disruptions. During the periods covered by this report, we believe that the risks posed by such cybersecurity threats have not materially affected the Company and its business strategy, results of operations and financial condition, and as of the date of this report, the Company is not aware of any material risks from cybersecurity threats that are reasonably likely to do so, however, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. For further information, see Item 1A. “Risk Factors - We are subject to cybersecurity risks that could threaten the confidentiality, integrity and availability of data in our systems, and could result in disruptions to our operations and adversely affect our operations, cash flows and financial condition.” 47 Governance As part of our Board’s role in overseeing the Company’s cybersecurity risks, the Board devotes time and attention to cybersecurity and data privacy-related risks, with the Audit Committee of the Board of Directors (the “Audit Committee”) being primarily responsible for overseeing information technology risk exposures, including cybersecurity, data privacy and data security. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate risks from cybersecurity threats. As part of such reviews, the Audit Committee receives reports and presentations from members of our team responsible for overseeing the Company’s cybersecurity risk management, including our Chief Information Officer (“CIO”), other cybersecurity leaders, consisting of our Chief Information Security Officers (“CISOs”), and our legal team , which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Chair of the Audit Committee and the CFO regularly brief the full Board on these matters. We have procedures by which certain cybersecurity incidents are escalated within the Company. Cybersecurity incidents that meet specified criteria for financial, operational, or otherwise relevant impact are escalated for further review to our Cyber Disclosure Committee, comprised of senior leaders and subject matter experts representing functional areas such as information security and legal. The Cyber Disclosure Committee will, where appropriate, report certain cybersecurity incidents to the Board in a timely manner. Our CIO has 30 years of experience in information security and cybersecurity areas. Our cybersecurity leaders, who report into our CIO, have extensive knowledge and skills gained from nearly two decades of work experience at the Company and elsewhere that head the teams responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across the Company. The cybersecurity leaders are supported by a team with expertise in technical architecture and security operations; governance, risk and compliance; data protection; behavioral change; and cyber incident response, many of whom hold cybersecurity certifications and possess deep technical knowledge and experience. Cybersecurity leaders receive reports on cybersecurity threats from internal cybersecurity sources and industry partners on an ongoing basis and regularly review risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our cybersecurity leaders work closely with the legal department to oversee compliance with regulatory and contractual security requirements.

Company Information