|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Kodak has implemented various processes designed to help assess, identify and manage risk from cybersecurity threats. Kodak's cybersecurity program follows the structure and objectives of the U.S. National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and is designed to satisfy multi-jurisdictional regulatory requirements. Key areas of Kodak's cybersecurity risk management processes and strategy currently include:
•
Cross-Functional Collaboration and Coordination. Our IT security operations and risk management team (“IT Security Team”), led by our Chief Information Security Officer (“CISO”), has first line responsibility for the implementation and operation of our cybersecurity risk management processes. However, this team works together with other internal teams to coordinate efforts, priorities and oversight. These include:
o
our IT Risk Council (the “Council”), which is comprised of key leaders from stakeholder groups throughout the Company and led by our CISO, and meets monthly to review metrics and discuss risks and recent events;
o
our Risk Management and Compliance Committee (the “Risk Committee”), which is responsible for evaluating and assessing overall enterprise risk, including cybersecurity risk;
o
our Internal Audit Department, which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment;
o
our Chief Privacy Officer; and
o
our crisis management team, a cross-functional team of senior management and subject matter experts from across the Company established to be ready to respond to crisis events, including those arising from cybersecurity incidents.
•
Routine Evaluation and Assessment of Systems and Processes. We routinely evaluate our IT systems and infrastructure, including with respect to system security, and regularly implement upgrades to improve system functionality and performance as well as to enhance security. Security controls are routinely assessed by our annual general controls audit and other audits and assessments as well as a thorough assessment performed during the annual cyber insurance application process. In addition to periodic in-depth evaluations of our systems and processes, we monitor our IT systems and processes on a regular basis with the goal of identifying and remediating real and potential threats as they arise.
•
Security Awareness Program to Train and Test Personnel. We operate a security awareness program that includes regular, mandatory trainings for relevant personnel on data protection and malware detection, policy and process awareness, periodic phishing simulations and other kinds of preparedness testing.
•
Incident Response Process and Team. We maintain an incident response process with defined roles, responsibilities and reporting protocols. This process focuses on responding to and recovering from any significant breach as well as mitigating any impact to our business. Generally, when a breach or suspected breach is identified, the IT Security Team would escalate the issue to the Council for initial analysis and guidance. In the event of a serious IT incident, the crisis management team would be notified and the incident response team would typically be tasked with preparing an initial response. The incident response team, in consultation with others regarding impact and materiality, would be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any reporting or notification responsibilities.
•
Regular Evaluation of Initiatives, Results and Priorities. The IT Security Team, in consultation with the Council and other members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments, and further developments in the cybersecurity threat landscape. In addition, we periodically engage a third-party provider to conduct an external assessment of our security program. The results of this assessment, which are reported to the Audit and Finance Committee (and the Board, as appropriate), assist us in determining whether any further changes to our existing policies and practices are warranted.
We expect that our cybersecurity risk management processes and strategy will continue to evolve as the cybersecurity threat landscape evolves.
We engage third-party providers to assist us with our cybersecurity risk management and strategy. Examples of services provided by these third-party providers include threat monitoring, incident response support, testing, mitigation strategies, updates on emerging trends and developments and policy guidance. Prior to exchanging any sensitive data or integrating with key third-party providers, we assess their security fitness against our risk posture and request changes as we deem necessary. Security controls are imposed through comprehensive standard terms and conditions that include privacy and incident reporting requirements, and third parties are periodically re-evaluated for security risk.
Since the beginning of the last fiscal year, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected the Company, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the heading, “Risks Related to Kodak’s Business and Operations—Cyber-attacks or other data security incidents that disrupt Kodak’s operations or result in the breach or other compromise of proprietary of confidential information about our workforce, our customers, or other third parties could disrupt our business, harm our reputation, cause us to lose customers, and expose us to costly regulatory enforcement and litigation, any of which could lead to material adverse effects on Kodak’s results of operations, business and financial condition” in this Form 10-K.
Governance
Consistent with the overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while the Board and its Audit and Finance Committee perform an oversight function.
Board Oversight. The Board has delegated to its Audit and Finance Committee the responsibility for overseeing cybersecurity risk exposures in addition to our broader risk management program. Management (including the Chief Information Officer (“CIO”) and the CISO) reports at least annually to the Audit and Finance Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives intended to bolster security systems and the cyber readiness of personnel.
Management’s Role. The IT Security Team addresses and responds to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. The team oversees compliance with the cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The IT Security Team also assists with the review and approval of policies, completes benchmarking against applicable standards, and oversees the security awareness program.
The IT Security team is led by the CISO. The CISO reports to the CIO who, in turn, reports to the Executive Chairman and Chief Executive Officer. The CISO has 40 years of IT experience, with over 20 of those focused on IT security functions and strategies. Collectively, the other members of the IT Security Team have decades of relevant education and experience and maintain a wide range of industry certifications. Cybersecurity training is provided for the IT Security Team upon joining the IT Security Team, on an annual basis and more frequently when necessary.
As noted previously, the CISO is a member of the Council, which meets monthly to provide operational direction to the IT Security Team considering the evolving risk landscape. The IT Security Team and the Council, through ongoing communication, help monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO or CIO, in consultation with the Council and other members of senior management, reports such threats and incidents to the Audit and Finance Committee, as appropriate. These reports may be included in, or in addition to, the regular annual reports to the Audit and Finance Committee.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|our Internal Audit Department, which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Consistent with the overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while the Board and its Audit and Finance Committee perform an oversight function.
Board Oversight. The Board has delegated to its Audit and Finance Committee the responsibility for overseeing cybersecurity risk exposures in addition to our broader risk management program. Management (including the Chief Information Officer (“CIO”) and the CISO) reports at least annually to the Audit and Finance Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives intended to bolster security systems and the cyber readiness of personnel.
Management’s Role. The IT Security Team addresses and responds to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. The team oversees compliance with the cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The IT Security Team also assists with the review and approval of policies, completes benchmarking against applicable standards, and oversees the security awareness program.
The IT Security team is led by the CISO. The CISO reports to the CIO who, in turn, reports to the Executive Chairman and Chief Executive Officer. The CISO has 40 years of IT experience, with over 20 of those focused on IT security functions and strategies. Collectively, the other members of the IT Security Team have decades of relevant education and experience and maintain a wide range of industry certifications. Cybersecurity training is provided for the IT Security Team upon joining the IT Security Team, on an annual basis and more frequently when necessary.
As noted previously, the CISO is a member of the Council, which meets monthly to provide operational direction to the IT Security Team considering the evolving risk landscape. The IT Security Team and the Council, through ongoing communication, help monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO or CIO, in consultation with the Council and other members of senior management, reports such threats and incidents to the Audit and Finance Committee, as appropriate. These reports may be included in, or in addition to, the regular annual reports to the Audit and Finance Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board has delegated to its Audit and Finance Committee the responsibility for overseeing cybersecurity risk exposures in addition to our broader risk management program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Management (including the Chief Information Officer (“CIO”) and the CISO) reports at least annually to the Audit and Finance Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives intended to bolster security systems and the cyber readiness of personnel.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s Role. The IT Security Team addresses and responds to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. The team oversees compliance with the cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The IT Security Team also assists with the review and approval of policies, completes benchmarking against applicable standards, and oversees the security awareness program.
The IT Security team is led by the CISO. The CISO reports to the CIO who, in turn, reports to the Executive Chairman and Chief Executive Officer. The CISO has 40 years of IT experience, with over 20 of those focused on IT security functions and strategies. Collectively, the other members of the IT Security Team have decades of relevant education and experience and maintain a wide range of industry certifications. Cybersecurity training is provided for the IT Security Team upon joining the IT Security Team, on an annual basis and more frequently when necessary.
As noted previously, the CISO is a member of the Council, which meets monthly to provide operational direction to the IT Security Team considering the evolving risk landscape. The IT Security Team and the Council, through ongoing communication, help monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO or CIO, in consultation with the Council and other members of senior management, reports such threats and incidents to the Audit and Finance Committee, as appropriate. These reports may be included in, or in addition to, the regular annual reports to the Audit and Finance Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The team oversees compliance with the cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The IT Security Team also assists with the review and approval of policies, completes benchmarking against applicable standards, and oversees the security awareness program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has 40 years of IT experience, with over 20 of those focused on IT security functions and strategies. Collectively, the other members of the IT Security Team have decades of relevant education and experience and maintain a wide range of industry certifications. Cybersecurity training is provided for the IT Security Team upon joining the IT Security Team, on an annual basis and more frequently when necessary.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|the CISO is a member of the Council, which meets monthly to provide operational direction to the IT Security Team considering the evolving risk landscape. The IT Security Team and the Council, through ongoing communication, help monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef