INNOSPEC INC. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

INNOSPEC INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 09:29:42 EST.

Filings

10-K filed on 2024-02-14

INNOSPEC INC. filed an 10-K at 2024-02-14 09:29:42 EST
Accession Number: 0000950170-24-014960

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cyber Security Risk Management & Strategy Innospec has strategically integrated cyber security risk management into its broader risk management framework to promote a company-wide culture of cyber security risk management. This integration ensures that cyber security considerations are an integral part of our decision-making processes at every level. For example, training on cyber security risks was required of all Innospec directors and employees who have access to our information technology resources. Our risk management team works closely with our Information Technology ( IT ) leadership to continuously evaluate and address cyber security risks in alignment with our business objectives and operational needs. Innospec s IT leadership team is responsible for assessing, identifying and managing the inherent and residual risks associated with cyber security threats across our IT and Operational Technology landscape. IT leadership periodically reviews the Company s external threats, portfolio, and external services, and will update its risk register accordingly. IT leadership will, when required by either executive management or the Board, engage third-party reviews of our overall cyber security compliance using The National Institute of Technology ( NIST ) framework. IT leadership will also periodically engage specialist security contractors to test the 20 Company s resilience to cyber security threats, conduct penetration testing and vulnerability assessments across its assets and request additional investment where necessary to further improve our cyber security. Innospec utilizes an external service to provide ongoing analysis of the security related to our critical third-party service providers for IT operations and business IT services. Innospec will use the information provided by this external service as part of its IT vendor selection criteria and for ongoing third-party risk management. Innospec s cyber security is underpinned by a third-party specialist that monitors critical systems and end-user devices for cyber-attacks. In the first instance, cyber-attacks are brought to the attention of the IT leadership for evaluation and remediation before further escalation to the CEO and CFO is considered. Periodically, our systems are subject to targeted attacks which are intended to interrupt our operations or may lead to the loss, misuse or theft of personal information relating to our employees, suppliers and customers or lead to the loss of Company data, confidential information or our intellectual property. Governance Innospec s Board and its committees provide oversight of the Company s IT, including cyber security, in connection with the Company s efforts to assess and manage the Company s risk exposure. Oversight of risk management, including cyber security risk management is an integral part of Board and committee deliberations throughout the year. Since 2019, the Board has retained NCC Group ( NCC ) to perform cyber security reviews. NCC reports its findings directly to the Board. In addition, in early 2020 the Audit Committee retained Deloitte to lead a series of information technology risk evaluations. The evaluation resulted in a three-year audit plan covering Cyber Security, Legacy IT and IT Strategy. The audit plan was approved by the Audit Committee. Innospec s Board has delegated responsibility for the management of the Company s IT to the Company’s IT steering committee via the CEO and CFO. The IT steering committee is made up of executive management, business leaders from our reporting segments, the functional heads responsible for our operating systems, IT leadership and is chaired by our Global IT Director. The Company considers that the IT steering committee members have the appropriate qualifications and experience required to enable them to fulfill their responsibilities. The IT steering committee may, as per its agreed terms of reference, escalate any matter it wishes to the Board via either the CEO or CFO. IT leadership is made up of senior managers with the appropriate qualifications and business experience required for their roles across Innospec s IT operations. The Company considers that the IT leadership team is sufficiently experienced and qualified in its role of assessing and managing cyber security risks across the business. IT leadership formally reports through the CEO and CFO to the Board. Innospec s CEO and CFO are involved with and approve the Company s strategy for managing the prevention, detection, mitigation and remediation of cyber security incidents as part of its IT Security Management System which includes defined escalation and internal communications processes and responsibilities. IT leadership will, as required, present to the IT steering committee, information regarding any IT risks identified and the mitigation plans to reduce the Company s residual risks. The IT steering committee will be regularly updated as to the occurrence, mitigation and resolution of cyber security incidents. Any cyber security incident that is considered significant in nature will be shared by IT leadership with the IT steering committee in accordance with the agreed communication and escalation processes. The IT steering 21 committee will assess the incident and make a recommendation to the CEO and CFO as to whether the incident is reportable to the SEC and/or other regulators or stakeholders. In the last three fiscal years, management has determined there were no cyber security threats that have materially affected Innospec and that the expenses incurred relating to cyber incidents have been immaterial. The Company is not aware of any threats that are reasonably likely to materially affect its business strategy, results of operations or financial condition for the foreseeable future. IT leadership provides a written report to the Board each quarter and the Global IT Director presents in person at least annually. Those reports and presentations include information on Innospec s cyber security and the related key performance indicators. IT leadership also provides external threat analysis to the Board when new relevant threats are identified as being exploitable and their potential impact on Innospec. 22

Company Information