XML 58 R35.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk management and strategy

Ball Corporation is committed to maintaining a strong cybersecurity posture. We have a dedicated, globally distributed information security team that is responsible for leading information security strategy, standards and processes, which are integrated into our comprehensive enterprise risk management process, including processes related to cybersecurity risks.

The company employs a standards-based cybersecurity program aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), including ongoing assessment and continuous improvement to address the rapidly evolving threat landscape. Ball partners closely with a strong network of external partners, including conducting annual assessments of the cyber risk management program against the NIST CSF.

Our information security team has established and implemented formal processes and policies to assess, identify, and manage risks arising from cybersecurity threats, including those associated with our internal operations and the use of third-party service providers. We continually refine our approach to address evolving cybersecurity regulations, identify potential and emerging security risks, and implement strategies to manage these risks. Ball has developed an incident response plan that includes a cyber incident materiality assessment with appropriate leadership governance. In addition, we have aligned our incident response plan with our enterprise risk and global crisis management processes.

In response to the ever-evolving cyber threat landscape, Ball utilizes external experts to support continuous improvement across our cyber program, processes and operations. Our collaboration with these third-parties includes regular audits,

threat assessments, and consultation on cyber enhancements. In addition, we also augment and extend our cyber team using a select few trusted third-party partners that are integrated as members of our global operations. This provides us with expanded global threat intel and enhances our ability to deliver continuous global cyber operations 24/7.

We are aware that there are potential cybersecurity risks associated with third-party service providers. Prior to engaging with third-party providers, Ball conducts thorough security assessments. We monitor for third-party cyber incidents and manage any third-party cyber incidents under our incident response plan and processes. Our oversight of third-party cyber risk aids our ability to lessen and mitigate impacts related to data breaches and other security incidents originating from third-parties.

Ball faces risks from cybersecurity threats that could have a material adverse effect on the company, including its business strategy, results of operations, financial condition and reputation. Refer to Item 1A, Risk Factors – Technological Risks, for additional details on cybersecurity risks that could potentially materially affect the company, including its business strategy, results of operations, financial condition and reputation. To date, we have not identified any cybersecurity incidents that have affected, or are reasonably likely to affect, our business, operations, or financial condition.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have a dedicated, globally distributed information security team that is responsible for leading information security strategy, standards and processes, which are integrated into our comprehensive enterprise risk management process, including processes related to cybersecurity risks.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Ball’s Chief Information Security Director (CISD) reports to the Senior Vice President and Chief Information Officer (CIO) and leads the company’s cybersecurity team. The CISD is responsible for overseeing cybersecurity, including assessing and managing cybersecurity risk, and together with the CIO, providing comprehensive briefings to the executive leadership team with respect to the cybersecurity program and emerging or potential cybersecurity risks. The cybersecurity team has extensive experience selecting, deploying, and operating cybersecurity technologies, strategies and processes, and couples this knowledge with the use of external experts to protect the company from cyber threats. In the event of a cyber incident, our cross-functional response team will enact our incident response plan, and notify appropriate levels of management, including the executive leadership team, disclosure committee, and Board of Directors, as appropriate.

Our Board of Directors oversees our company’s cybersecurity and information technology strategies. Annually, the CIO briefs the Board of Directors on the company’s cybersecurity posture and the effectiveness of its risk management strategies.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The CISD is responsible for overseeing cybersecurity
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] CIO, providing comprehensive briefings to the executive leadership team with respect to the cybersecurity program and emerging or potential cybersecurity risks
Cybersecurity Risk Role of Management [Text Block]

Our Board of Directors oversees our company’s cybersecurity and information technology strategies. Annually, the CIO briefs the Board of Directors on the company’s cybersecurity posture and the effectiveness of its risk management strategies.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Annually, the CIO briefs the Board of Directors on the company’s cybersecurity posture and the effectiveness of its risk management strategies.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our Board of Directors oversees our company’s cybersecurity and information technology strategies. Annually, the CIO briefs the Board of Directors on the company’s cybersecurity posture and the effectiveness of its risk management strategies.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our Board of Directors oversees our company’s cybersecurity and information technology strategies.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true