Owens Corning 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Owens Corning reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 06:06:49 EST.

Filings

10-K filed on 2024-02-14

Owens Corning filed an 10-K at 2024-02-14 06:06:49 EST
Accession Number: 0001370946-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have a range of security measures that are designed to protect against the unauthorized access to and misappropriation of our information, corruption of data, intentional or unintentional disclosure of confidential information, or disruption of operations. These security measures include controls, security processes and monitoring of our manufacturing systems. We have cloud security tools and governance processes designed to assess, identify and manage material risks from cybersecurity threats. In addition, we maintain an information security training program designed to address phishing and email security, password security, data handling security, cloud security, operational technology security processes, and cyber-incident response and reporting processes. Our cybersecurity strategy includes defense in depth, zero trust, and standards-based controls intended to protect our information technology systems. We perform incident response tabletop exercises that include members of the Company s senior management team to validate, test, and assess the effectiveness and adequacy of certain roles and decision-making processes in the event of a cybersecurity incident. We also assess, identify, and manage cyber risk associated with divestiture and merger and acquisition activities. The oversight of our cybersecurity risk management process is integrated into our overall risk management process. The risk committee is responsible for overseeing and monitoring our risk assessment and mitigation-related actions, including with respect to cybersecurity risks. The risk committee is not a committee of our Board of Directors. It is a cross-functional committee that includes members across many areas of expertise and is structurally independent of our business lines. The risk committee s membership is designed to provide diversity of thought and perspective related to risk, including cybersecurity risks. The risk committee identifies risks and mitigation strategies, and it provides key updates to executive officers and the Audit Committee of our Board of Directors. We use third-party service providers to execute certain business processes, maintain certain information systems and infrastructure, evaluate defenses, and implement recommendations. We periodically have external information security assessments performed by third parties to analyze our information technology systems and to stay informed of information security risks. Additionally, we have a supplier validation process, which provides for review and approval by our cybersecurity group for cloud services. Although we experience cybersecurity incidents from time to time as part of our operations, we have not experienced any information security breach that had, or is reasonably likely to have, a material impact on our business strategy, results of operations or financial condition. Any breach of our security measures, or those of our third-party service providers, could result in unauthorized access to and misappropriation of our information, corruption of data or disruption of systems, operations or transactions, any of which could have a material adverse effect on our business strategy, results of operations or financial condition. See Risk Factors on page 9 of this Form 10-K for further discussion of the risks related to cybersecurity threats. Governance The Board of Directors is responsible for overseeing risk for the Company and has delegated to the Audit Committee responsibility for overseeing the cybersecurity risk management strategy for the Company. The Audit Committee receives regular updates on our cybersecurity risk management process from members of management, including our Chief Information Officer ( CIO ). The Audit Committee review our comprehensive cybersecurity framework, including reviewing our cybersecurity reporting protocol that provides for the notification, escalation and communication of significant cybersecurity events to a crisis management team and appropriate levels of management, including our CIO, as well as to the Audit Committee. Management also provides the Audit Committee with a cybersecurity dashboard, which the full Board of Directors can access as well. Additionally, the Audit Committee regularly provides updates to the Board on the status of the Company s cybersecurity risk management process. The Company s cybersecurity program is overseen by our CIO, who is responsible for global information technology, including cybersecurity. Our Vice President, Global Information Security, is primarily responsible for assessing and managing material risks from cybersecurity threats, including monitoring the measures used for prevention, detection, mitigation and remediation of cybersecurity incidents. The information security organization is comprised of internal Owens Corning employees and external security suppliers who provide security monitoring and response. Our Global Information Services team is regularly engaged in cybersecurity training and awareness and incorporates relevant reviews in technology design and development. Table of Contents -20- ITEM 1C. CYBERSECURITY (continued) Our CIO has 19 years of experience in the information technology industry, including engagement with cybersecurity strategy and oversight. Our CIO reports directly to our Chief Executive Officer. Our Vice President, Global Information Security has 27 years of experience in the cybersecurity industry, including previous experience in the U.S. Air Force, consulting, and 21 years with Owens Corning, and reports directly to our CIO. Table of Contents -21-
ITEM 1C. CYBERSECURITY (continued) Our CIO has 19 years of experience in the information technology industry, including engagement with cybersecurity strategy and oversight. Our CIO reports directly to our Chief Executive Officer. Our Vice President, Global Information Security has 27 years of experience in the cybersecurity industry, including previous experience in the U.S. Air Force, consulting, and 21 years with Owens Corning, and reports directly to our CIO. Table of Contents -21-

Company Information