OLIN Corp 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

OLIN Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 15:16:43 EST.

Filings

10-K filed on 2024-02-22

OLIN Corp filed an 10-K at 2024-02-22 15:16:43 EST
Accession Number: 0000074303-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have an enterprise-wide cybersecurity risk management approach designed to identify, protect, detect, respond to and manage cybersecurity and information technology risks and threats. This program is integrated into our enterprise risk management (ERM) framework, and the underlying controls leverage recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. Our Company s Chief Information Officer (CIO) is responsible for developing and maintaining our global cybersecurity and information technology program and directs our Information Security team. The Information Security team is primarily responsible for identifying and protecting against cybersecurity threats and maintains a comprehensive set of policies and standards applicable to our global organization. We consult with multiple third-party firms to assess and review these policies and standards and regularly update them for contemporary best practices. Our CIO has over fifteen years of experience leading cybersecurity oversight for global organizations, and our Information Security team leaders have extensive cybersecurity and information technology industry experience with Olin or other large public companies and hold industry certifications, including the Certified Information Systems Security Professional certification. 22 Table of Contents Our Information Security team monitors alerts and meets to discuss threat levels, trends and remediation tactics. Every identified cyber event is evaluated, ranked by severity and prioritized for response and remediation in compliance with our global Security Incident Management Procedure. Significant events are evaluated for both quantitative and qualitative factors to determine materiality on a case-by-case basis, including, among other factors, potential privacy, operational, financial, or reputational impacts for the Company, and our customers, vendors, shareholders, or other external stakeholders. The Information Security team prepares a monthly scorecard for senior management, summarizing cyber events for the month and reporting on our remedial actions. While we have experienced cybersecurity attacks, such attacks to date have not materially affected the Company or our business strategy, results of operations, or financial condition. The Company regularly conducts penetration testing, both internally and by third parties, and conducts automated attacks simulating real-world cyber incidents. These tests and assessments are useful tools for maintaining a comprehensive cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. We continue to expand our cybersecurity risk mitigation strategies, which includes around-the-clock monitoring of our global network, using layered defenses and identifying and protecting critical assets, including our manufacturing facilities. The Information Security team conducts annual cybersecurity awareness training and quarterly email phishing tests and training for all employees. We rely on certain external service providers to assist in the management of the day-to-day operation of our business, operate elements of our manufacturing facilities, manage relationships with our employees, customers, and suppliers, fulfill customer orders, and maintain our financial, accounting, or other business records. The Information Security team maintains a third-party security program to identify, prioritize, assess, mitigate, and remediate our third-party risks; however, we also rely on our third-party vendors, suppliers, and other business partners to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. Cybersecurity risks are assessed when selecting our third-party service providers and reassessed periodically. We face a number of cybersecurity risks in connection with our business. Failure of any one or more than one of our information technology systems could be caused by internal or external events or parties, such as incursions by intruders or hackers, computer viruses, cyber-attacks, failures in hardware or software, or power or telecommunication fluctuations or failures. For more information about the cybersecurity risks we face, see Item 1A - Risk Factors. Cybersecurity Governance Cybersecurity is an important component of our ERM framework and an area of focus for both our Board of Directors (Board) and management team. While management holds primary responsibility for our Company s risk management strategy, our Board, with the support of its committees, oversees the process to ensure that the framework designed, implemented and maintained by management is functioning as intended and adapts, when necessary, to our evolving strategy and emerging risks. The Board s Audit Committee is delegated responsibility for oversight of our ERM process, including our strategies to identify, detect and respond to cybersecurity and information technology risks and threats. Our Audit Committee s process includes an annual review of our ERM program to ensure appropriate practices are in place to monitor and mitigate identified risks on an ongoing basis. Additionally, our CIO meets with the Audit Committee or Board each quarter to discuss cyber hygiene, incidents (as needed), and provide updates on our enterprise-wide cybersecurity risks and strategies, including steps taken to mitigate and manage the same. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on current cyber topics, trends and best practices. We have established protocols by which certain cybersecurity incidents are reported to the Audit Committee and Board.

Company Information