SENSIENT TECHNOLOGIES CORP 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

SENSIENT TECHNOLOGIES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 11:25:55 EST.

Filings

10-K filed on 2024-02-22

SENSIENT TECHNOLOGIES CORP filed an 10-K at 2024-02-22 11:25:55 EST
Accession Number: 0001140361-24-008963

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats in order to safeguard our information systems and protect the confidentiality, integrity, and availability of our information systems and the information residing therein. We have implemented several cybersecurity processes to aid in our efforts to assess, identify, and manage such material risks. Our risk management program considers cybersecurity threat risks alongside other risks as part of our overall risk assessment process. We believe that integrating our cybersecurity risk management into our broader risk management framework promotes a company-wide culture of cybersecurity risk management and ensures that cybersecurity considerations are an integral part of decision-making at every level. We employ a wide range of tools, policies, and services, including but not limited to penetration testing, network and endpoint monitoring, vulnerability assessments, information segregation, and tabletop exercises to inform our risk identification and assessment. We routinely review and upgrade our information technology and cybersecurity systems in order to better manage, report, and protect the information related to our formulas and processes, research and development, trade secrets, products, customers and suppliers, employees, and other sensitive information. We also have a cybersecurity specific risk assessment process that helps us identify our cybersecurity threat risks and maturity level by comparing our processes to standards set by the International Organization for Standardization. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, we: Run tabletop exercises with our executive team to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; Conduct regular third-party assessments of our cybersecurity program; Undertake regular reviews of our incident response plan and other policies related to cybersecurity; Run regular cyber penetration testing; Through policy and practice, classify information, restrict access, and require employees to treat sensitive data with care; and Conduct an annual employee training program, including regular phishing email simulations for all employees with access to corporate email systems to enhance awareness and responsiveness to such possible threats. Our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations. Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages third-party experts, including assessors, auditors, and consultants, in evaluating and testing our risk management systems. Such engagements include: managed security services, regular audits, penetration testing, threat assessments, and consultation on security enhancements. The Company has processes in place to oversee and manage its use of third-party vendors. We conduct security assessments of third-party vendors engaged, limit the information systems of the Company available to the third party, and maintain monitoring to ensure compliance with our cybersecurity standards. From time to time, we experience cybersecurity incidents and threats to our systems and information. Through the date hereof, no risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected, and we do not believe are reasonably likely to materially affect, the Company, including our business strategy, results of operations, or financial condition. However, we cannot guarantee that we will not be materially affected in the future. Cybersecurity threats rapidly evolve and are complex, so we must continually adapt and enhance our processes. As we do this, we must make judgments about where and how to invest resources to most effectively protect ourselves from threats. These are inherently challenging processes, and we can provide no assurance that the processes that we implement will be effective. For more information regarding cybersecurity risks that could impact the Company, see our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which such disclosures are incorporated by reference herein. 19 Index Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our entire Board is responsible for the oversight of risks from cybersecurity threats. At least twice annually, the entire Board receives an overview from management of our cybersecurity progress and effectiveness, covering topics such as current cybersecurity landscape and emerging threats, data security posture, results from third-party assessments, status of ongoing initiatives and strategies, and material cybersecurity threat risks or, if any, incidents and developments. In these sessions, the Board receives materials and discusses such matters with our Chief Information Officer. The Board also receives annual training on cybersecurity. In addition, we have formed an executive level steering committee (including the CEO, CFO, Group Presidents, General Counsel, VP, Human Resources, Controller/Chief Accounting Officer, and Chief Information Officer) that provides oversight and routinely discusses cybersecurity matters. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer, our Director of Information Security, and our Director of Infrastructure. These individuals collectively have over 85 years of prior work experience in various roles in the information security field, including managing and implementing effective information technology and cybersecurity programs, as well as relevant degrees and certifications, including a Certified Information Systems Security Professional certification. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, our Chief Information Officer reports to the entire Board about cybersecurity threat risks, among other cybersecurity matters, at least twice annually or more frequently as circumstances may require.

Company Information