ALBEMARLE CORP 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

ALBEMARLE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 17:46:06 EST.

Filings

10-K filed on 2024-02-14

ALBEMARLE CORP filed an 10-K at 2024-02-14 17:46:06 EST
Accession Number: 0000915913-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Albemarle recognizes the importance of maintaining the security and integrity of our information systems and the data we collect, process, and store. We have implemented a comprehensive cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework ( CSF ). As such, we map the CSF to corresponding legal, regulatory, and industry security practices, which guide our global policies and procedures to prevent, identify, protect, detect, respond, and recover from cybersecurity threats and incidents. Our cybersecurity program is overseen by our Chief Information Security Officer ( CISO ), and it is integrated into our overall enterprise risk management framework and thus is factored into our long-term strategy and business continuity plans. Our CISO is a Certified Information Systems Security Professional and a Certified Ethical Hacker with more than 25 years of experience as a cybersecurity professional working extensively with critical infrastructure partners to reduce cyber risk within traditional and operation technology networks. Our leadership team receives monthly updates on security operations and governance functions as part of monthly Information Security Council meetings led by our CISO. The Audit and Finance Committee of our Board of Directors oversees information security matters and the Company s cybersecurity program. Our Chief Information Officer and CISO report on cybersecurity related matters, including the status of ongoing initiatives, incident reporting, compliance with regulatory requirements and industry standards, and emerging threats in global cybersecurity, on a periodic and as needed basis to the Audit and Finance Committee. The Audit and Finance Committee offers guidance on certain matters and approval for material initiatives. In addition, the full Board of Directors is updated on cybersecurity matters as needed depending on the nature and materiality of a cybersecurity matter. All information assets are inventoried, classified, prioritized, and protected based on the respective risk, with appropriate cybersecurity controls applied to each. We have also implemented and maintain a documents management program which governs the classification, protection, and use of sensitive company data within the Albemarle environment. All business-requested technologies and third-party service providers must successfully complete a thorough cybersecurity and contract review before being approved for use, after which they become part of our continuous risk monitoring program. Cybersecurity risks and potential costs are evaluated as a part of business operations, and the respective business impacts are continuously assessed to address evolving threats and vulnerabilities. We engage a third-party global firm to conduct an annual cyber assessment using the CSF, and we engage external vendors to validate our security controls and procedures through periodic penetration tests. We follow a zero-trust architecture approach and enforce the use of multi-factor authentication and virtual private network technologies for all external access to provide secure support for our remote workers. Information security training is part of our compliance program, and includes mandatory security training for new hires, mandatory yearly security training for all staff, and regular phishing tests to raise awareness and response actions. Our team of cybersecurity professionals are responsible for maintaining a global information systems environment that focuses on least privilege, least functionality, and network segmentation throughout the landscape using a layered approach (i.e. a defense-in-depth strategy). This includes a security operations center and cybersecurity engineers who provide 24/7 network monitoring. As further discussed in Item 1A. Risk Factors, a material cybersecurity incident could significantly increase the cost of doing business or otherwise adversely impact our financial results and condition. To date we have not had a cybersecurity incident that has had, or is reasonably likely to have, a material effect on our financial results or business operations; however, we monitor and work to continuously improve our cybersecurity program as threats become more frequent and sophisticated. All our manufacturing sites have formal business continuity plans that address site-specific priority responses, each determined through business impact analyses that integrate within our overall corporate crisis management response plan and enterprise risk management program. We also conduct frequent drills and exercises of formal cyber response procedures and business continuity plans. Lessons learned from the outcomes of these exercises are then assessed and used to inform and improve our formal cyber response procedures and business continuity plans. 28 Albemarle Corporation and Subsidiaries In the event of, or the reasonably likely threat of, a cybersecurity incident, our cyber response procedures outline the tasks and timeline for the escalation of the incident to key members of the organization, including the information technology team, business unit management, and Albemarle executives and other key management. These individuals would participate in a special event management plan activation meeting to gain an understanding as to how the incident was detected and analysis of the incident. Each member of management involved would be responsible for assessing the risks, impact, and necessary response as determined by their role. The procedures include key considerations each manager should consider in their assessment as well as their responsibility for involvement in remediation efforts and post-incident strategic reviews. Specific legal and executive role procedures include the assessment of necessary internal communication and external reporting. The Chief Executive Officer, with the support of other executive officers, is responsible for approval of incident reporting and informing and updating the Board of Directors.

Company Information