Security and Risk Committee Charter
(Approved May 7, 2020)
The Security and Risk Committee shall assist the Board of Directors in its oversight responsibilities with regard to the Corporation's company-wide security and enterprise risk management practices, including (1) overseeing the practices, procedures and controls that management uses to identify, manage and mitigate risks related to cybersecurity, privacy and disaster recovery and respond to incidents with respect thereto and (2) overseeing the practices, procedures and controls that management uses to identify, manage and mitigate other key enterprise risks that the Corporation faces such as strategic, commercial, physical security, property, work place safety, legal, regulatory, and reputational risks.
The Committee shall consist of at least three directors, each of whom shall meet the independence requirements of the New York Stock Exchange. Any action taken by the
Committee during a period in which one or more of the members subsequently is
determined to have failed to meet the membership qualifications shall nevertheless
constitute duly authorized actions of the Committee and shall be valid and effective for all
purposes, except to the extent required by law or determined appropriate by the
Committee to satisfy regulatory requirements.
The members of the Committee shall be appointed and replaced by the Board.
Management of the Corporation has responsibility to manage the Corporation's security and enterprise risk management practices, procedures and controls. The Committee has an oversight role, and in fulfilling that role, may rely on reviews and reports provided by management and the Committee's advisors. In performing its oversight responsibilities, the Committee shall:
- Review management’s implementation of cybersecurity programs, privacy programs and risk policies and procedures and management’s actions to (x) safeguard the effectiveness of such programs and policies and the integrity of the Corporation’s electronic systems and facilities and (y) prevent, detect and respond to cyber-attacks or information or data breaches involving the Corporation’s electronic information, intellectual property and data.
- Receive information from the chief information security officer regarding matters related to the management of cybersecurity risk and information from the chief compliance officer regarding matters related to the management of privacy risks, in each case as the Committee deems appropriate.
- Review management’s crisis preparedness and incident response plans (including policies and procedures regarding public disclosure of any such incidents) and the Corporation’s disaster recovery capabilities.
- Monitor the Corporation’s enterprise risk profile, its ongoing and potential exposure to risks of various types, and, in doing so, the Committee recognizes the responsibilities delegated to other committees by the Board and understands that the other committees may emphasize specific risk monitoring through their respective activities. Specifically, the Compensation Committee shall continue to have oversight responsibility for risks relating to the Corporation’s compensation arrangements (including risks related to the Corporation’s pension, welfare and employee benefit plans), senior executive succession planning and talent management and the Audit and Finance Committee shall continue to have oversight responsibility for risks relating to the Corporation’s financial reporting (including internal control over financial reporting), capital structure, financial and budgeting requirements, financial risks related to the Corporation’s pension, savings and welfare plans, investor relations, violations of the Corporation’s Code of Ethics and Business Conduct, taxes and acquisitions and dispositions.
- Receive and review information from management regarding the activities of the Corporation and discuss matters related to the Corporation’s risk profile as appropriate, including a risk heat map identifying the risks to the Corporation and the potential for occurrence and expected impact on the Corporation for each identified risk.
- Review and discuss with management the effectiveness of the Corporation’s risk management programs and its practices for identifying, managing and mitigating risks across all business functions and recommend improvements, where appropriate.
- Review and approve framework for adopting policies and procedures establishing risk-management governance, risk-management procedures, and risk control infrastructure.
- Oversee the processes and systems for implementing and monitoring compliance with risk-management and risk-control policies and procedures, including:
- Processes and systems for identifying and reporting risks (including emerging risks) and risk management deficiencies, and implementation of actions to address risk-management deficiencies;
- Processes and systems for establishing managerial and employee responsibility for risk management; and
- Processes and systems to integrate risk management and associated controls with management goals.
- Review significant investments and expenditures the Corporation proposes to make to manage or mitigate enterprise risks and make recommendations, where appropriate.
- Receive and review reports and presentations from management and the Committee’s advisors, including, as appropriate, independent auditors, internal auditors, legal counsel and other outside experts regarding the management of enterprise risk programs.
- Review and address, as appropriate, management’s corrective actions for deficiencies that arise with respect to the effectiveness of enterprise risk management programs.
- Review the “Risk Factors” section of the Corporation’s Annual Report on Form 10-K annually.
- Review the adequacy of the Corporation’s insurance programs to determine if the coverages are sufficient, consistent with market conditions, to protect the Corporation.
- Review, with the Corporation’s general counsel, any legal matter that could have a significant impact on the Corporation’s business or reputation.
- Address other matters as the Committee Chair or other members of the Committee determine relevant to the Committee’s oversight of enterprise risk assessment and management.
Meetings; Operational Matters and Reports
The Committee is to meet periodically in separate executive sessions with each of management, the Corporation's chief information security officer, chief audit executive and chief compliance officer, and shall have other direct and independent interaction with them from time to time as the Committee deems appropriate.
The Committee may form and delegate authority to subcommittees when appropriate.
In connection with its duties and responsibilities, the Committee shall have full access to all books, records, facilities and personnel of the Corporation as deemed necessary or appropriate by any member of the Committee to discharge his or her responsibilities hereunder. The Committee shall also have authority to pay, at the expense of the Corporation, ordinary administrative expenses that, as determined by the Committee, are necessary or appropriate in carrying out is duties. The Committee shall have the authority to retain outside legal, accounting or other advisors, including the authority to approve the fees payable by the Corporation to such advisors and other retention terms. The Corporation shall provide the funding for the payment of such fees.
The Committee shall annually review its performance. In addition, the Committee shall review and reassess the adequacy of this Charter annually and recommend to the Board any changes it considers necessary or advisable.
The Committee shall make regular reports to the Board.