NEWMARKET CORP 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

NEWMARKET CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 10:14:14 EST.

Filings

10-K filed on 2024-02-15

NEWMARKET CORP filed an 10-K at 2024-02-15 10:14:14 EST
Accession Number: 0001282637-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Material Risks from Cybersecurity Threats Our operations and other aspects of our business rely heavily on various information technology systems, some of which are managed by third parties. We face significant cybersecurity threats, which are continuously increasing in sophistication, including computer viruses, internal and external security breaches, and other cyber-attacks. These threats could disrupt our operations, lead to the loss of confidential information (such as the personally identifiable information of individuals, including our employees), and hinder our ability to process transactions with customers, operate our manufacturing facilities, and accurately report transactions in a timely manner. To manage these cybersecurity risks, our organization leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We have implemented comprehensive policies and procedures that facilitate the timely identification and reporting of cyber incidents. Additionally, we have established protective measures for the forensic analysis of cyber incidents. While we are proactive in our efforts to mitigate these threats through robust security processes and disaster recovery plans, the evolving nature of cybersecurity threats means that our systems may not always be able to identify or protect against a threat promptly or at all. As a result, there is a continuous risk of potential financial, legal, business, and reputational damage to our company stemming from cybersecurity threats. We employ a number of people who are part of our Information Technology group and are dedicated to and responsible for assessing and managing cybersecurity threats. Our Information Technology Director, who has over 25 years of experience in information security serving in roles of increasing responsibility, works with our cybersecurity employees to set priorities and is responsible for cybersecurity oversight and the escalation of incidents with business impact to senior leadership based on our Information Security Incident Management Policy. We utilize specialized third-party services and tools for identifying, protecting against, and detecting cyber incidents, and also partner with external cybersecurity experts and vendors to augment our internal security team. Through these third-party services, our detection capabilities include, but are not limited, to, real-time monitoring, intrusion detection systems, and advanced analytics to identify abnormal patterns of behavior. These third-party detection tools provide real-time alerts, log aggregation, and threat intelligence feeds, which are integrated into our incident response platform. Additionally, we engage third-parties to conduct independent assessments of our cybersecurity posture that evaluate the efficiency and effectiveness of our detection capabilities, along with our response mechanisms, and overall risk management. Third-party service providers are integral to our business operations and are incorporated into our enterprise-wide risk management program, which subjects the providers to rigorous vetting processes and ongoing oversight. We use specialized monitoring tools that evaluate the cybersecurity posture of our third-party providers using a cybersecurity scorecard. This allows us to continually assess the cybersecurity risk levels associated with these external partners. Our approach to managing cybersecurity risks (including third-party risk) is part of a continuous improvement process, both in the context of cybersecurity and broader operational risk management. This ongoing process, which includes employee training, is aimed at routinely reviewing and, as necessary, improving, our oversight processes and tools to ensure they remain effective and resilient in their management of cybersecurity risk. Material Impact of Cybersecurity Threats While we have yet to experience a material cybersecurity event, we acknowledge the persistent and evolving nature of these threats, which have the potential to materially impact our business strategy, operations, and financial standing adversely. See Item 1A, “Risk Factors” under the operational risks section for more information. We maintain robust policies and procedures focused on cybersecurity incident management, ensuring timely communication and escalation to all relevant stakeholders. This enables faster response and effective communication, including public disclosure if a material cybersecurity event were to occur. 19 Table of Contents Board of Directors Oversight The Board of Directors oversees risks related to cybersecurity, including the security of corporate information and the steps management is taking to monitor and control these risks. Management regularly briefs the Board on our cybersecurity risk profile, emerging threats, and the efficacy of our risk mitigation strategies, including our continuous improvement initiatives. These initiatives aim to enhance the resiliency of our cybersecurity program as well as our broader operational risk management strategies.

Company Information