Huntsman CORP 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Huntsman CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 14:55:06 EST.

Filings

10-K filed on 2024-02-22

Huntsman CORP filed an 10-K at 2024-02-22 14:55:06 EST
Accession Number: 0001437749-24-005185

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of developing, implementing and maintaining cybersecurity measures to safeguard our information systems, shield our operational technologies in our manufacturing plants and protect the confidentiality, integrity and availability of our data. We have a qualitative cybersecurity risk management program within our Enterprise Information Security function to promote a company-wide culture of cybersecurity risk management for our information technology and operational technology. This program supports cybersecurity considerations as part of our decision-making processes. Our Enterprise Information Security team works closely with our global information technology organization ( Global IT ), operational technology teams and business units to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We are aligned with the U.S. National Institute of Standards and Technology Cybersecurity Framework, against which we periodically assess our readiness. Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants and auditors, in evaluating and testing our cybersecurity posture. These partnerships enable us to leverage specialized knowledge and insights in the development of our cybersecurity program consistent with industry best practices. Our collaboration with these third parties includes regular audits, threat assessments and consultation on security enhancements. Because we are aware of the risks associated with third parties, we have implemented a third-party security risk management program to oversee and manage these risks. We conduct security assessments of third-party providers contracted by Global IT before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The program includes tools and services, which continuously monitor third parties for potential security concerns, data leaks and cyber posture, as well as periodic renewals of due diligence commensurate with their risk. This approach is designed to mitigate risks related to data breaches or other security incidents originating from these third parties. As of the date hereof, we have not identified any cybersecurity threats or previous cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I. Item 1A. Risk Factors. Cybersecurity Governance The Board of Directors is aware of the importance of managing risks associated with cybersecurity threats. The Board of Directors has established oversight mechanisms for effective governance in managing risks associated with cybersecurity threats, because they recognize the significance of these threats to our operational integrity and stakeholder confidence. The Audit Committee is responsible for the Board of Directors oversight of cybersecurity risks. The Audit Committee is composed of board members with diverse expertise including, cyber operations, risk management, technology and finance, equipping them to oversee cybersecurity risks effectively. The Audit Committee reviews our cybersecurity programs and the effectiveness of its risk management strategies. This review helps management identify areas for improvement and align our cybersecurity program with the overall risk management framework. The Chief Information Officer ( CIO ) plays a pivotal role in informing the Audit Committee on cybersecurity risks. The CIO provides briefings to the Audit Committee on a quarterly basis. These briefings encompass a broad range of topics, including: current cybersecurity landscape and emerging threats; status of ongoing cybersecurity initiatives and strategies; incident reports and learnings from any cybersecurity events; and compliance with regulatory requirements and industry standards. In addition to our scheduled meetings, select members of the Audit Committee and CIO maintain an ongoing dialogue regarding potential cybersecurity threats and mitigation strategies and updates to our cybersecurity posture. The Audit Committee oversees strategic decisions related to our cybersecurity program, offering guidance and approving investments in major initiatives. This ongoing oversight enables cybersecurity considerations to be integrated into our broader strategic planning objectives. Reporting to our CIO, our cybersecurity function is led by our Chief Information Security Officer ( CISO ). The CISO manages a team of cybersecurity professionals and third-party support functions with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Our CISO and CIO are regularly informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques, for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we have an incident response plan that includes immediate actions to contain and eradicate the threat, mitigate the impact, and long-term strategies for remediation and prevention of future incidents. The CIO regularly informs the Chief Executive Officer and management regarding cybersecurity risks and incidents, so they are kept abreast of the cybersecurity posture and potential risks. Significant cybersecurity matters and strategic risk management decisions are reported to the Audit Committee. 20 Table of Contents

Company Information