MINERALS TECHNOLOGIES INC 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

MINERALS TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 14:52:39 EST.

Filings

10-K filed on 2024-02-16

MINERALS TECHNOLOGIES INC filed an 10-K at 2024-02-16 14:52:39 EST
Accession Number: 0000891014-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company has processes, policies and procedures for identifying, assessing, managing, and responding to cybersecurity threats and incidents. These are integrated into our overall risk management systems, as overseen by our Board of Directors, primarily through the Audit Committee. Our policies and procedures include protocols for assessing potential material impact from cybersecurity threats and incidents, escalating to executive leadership and the Board of Directors, engaging external stakeholders, and reporting incidents based on applicable legal requirements. Our incident response plan provides guidance in the event of a cybersecurity incident, including processes with assigned roles and responsibilities to triage, contain, assess severity, escalate, investigate, and remediate incidents, as well as to comply with potentially applicable legal obligations and mitigate reputational damage. We use cybersecurity technologies, products, specialized IT tools and services including cyber threat intelligence and external cyber technology experts to understand, manage, mitigate and continually remediate identified risks. A cybersecurity incident may be detected in a number of ways, including through the following avenues: Security Operations Center (SOC) events, employee reports such as helpdesk incidents, and Cybersecurity tool and service stacks (e.g., vulnerability detection, threat intelligence, anti-virus, and malware detection tools). All cybersecurity risks are logged into the Company s cyber security risk register where they are tracked for remediation. These cybersecurity risks are discussed with management for resolution planning and escalation. We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third party security experts for risk assessments, risk mitigation actions, vulnerability identification, and program enhancements. We periodically test our security controls through internal and external penetration testing that covers both corporate and plant IT networks by external specialized vendors, as well as in connection with auditing of our financial systems. We also conduct regular cybersecurity tabletop exercises to test established policies and procedures for responding to cybersecurity threats and incidents. In addition, we conduct an annual independent review of our cybersecurity posture. Throughout the year, we conduct cybersecurity training and awareness for our employees to help identify, avoid and mitigate cybersecurity threats utilizing various delivery methods such as phishing campaigns, training sessions, and informational bulletins. We conduct risk assessments of third-party suppliers and service providers including due diligence assessments of third-party suppliers and service providers that have access to the Company s networks, confidential information, and information systems. We provide all third-party vendors, consultants, and partners with detailed security requirements for securing their connections into our IT networks. Third parties service providers are also typically contractually responsible for identifying and remediating security issues within their technology and service environment. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For more information, see Item 1A. Risk Factors, Our operations have been and will continue to be subject to cyber-attacks that could have a material adverse impact on our business, consolidated results of operations, and consolidated financial condition . Governance The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Company. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Management reports on cybersecurity matters, including material risks and threats, to the Audit Committee at regularly scheduled Audit Committee meetings , which is then discussed with the Board of Directors . The reports discuss specific risks and mitigation efforts, including critical and high cyber risks from the risk register, the results of our annual independent review of the Company s cybersecurity posture and other third party assessments and benchmarking information. It is management s responsibility to manage cybersecurity risks, as described above, and bring to the Board s attention material risks. Under the oversight of the Audit Committee , and as directed by the Company s Chief Executive Officer, the Company s Chief Information Officer (CIO) is primarily responsible for the assessment and management of cybersecurity risks. The CIO, who reports to the Chief Financial Officer, is aided by a third party Chief Information Security Officer with over 40 years of experience, in addition to other external professionals. Management s risk oversight is also accomplished through the Company s Strategic Risk Management Committee and Operating Risk Management Committee, which provides cross-functional support for cybersecurity risk management, as well as the Company s Chief Compliance Officer. 20

Company Information