FMC CORP 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

FMC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 14:51:18 EST.

Filings

10-K filed on 2024-02-27

FMC CORP filed an 10-K at 2024-02-27 14:51:18 EST
Accession Number: 0000037785-24-000033

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Processes As noted in Item 1A. Risk Factors, FMC recognizes that the threat of cybersecurity breaches may create significant risks for the Company. Accordingly, we are committed to an ongoing and comprehensive program to protect all company data, as well as data in our supply chain, from these threats. Our cybersecurity program includes governance defined by IT policies and standards and a robust IT risk management program. FMC uses several tools and controls to manage IT risk including, but not limited to, controls for the management of privileged access, anti-malware tools, required trainings for employees including an annual training module, simulated email phishing attacks, and other email security tools to detect and prevent intrusions as well as monitor threats. FMC employees have access to formal IT policies that define and clarify expected behaviors with respect to IT resources in various areas. The Company has a Cyber Incident Response Plan, which establishes procedures to prepare for and respond to a variety of cyber incidents, and continuously engages in response planning, simulations, trainings, tabletop exercises, and other efforts to mitigate risk and prepare for a rapid response to any incidents should they occur. Additionally, our contracts with third-party providers require those organizations to notify FMC of any cyber incident that occurs when our information has been impacted. FMC frequently communicates with our third-party service providers to ensure timely notification of any matters that may impact our data security. Periodically, the Company has its cybersecurity programs audited by independent third parties using the NIST Cybersecurity Framework, which provides guidance to organizations on how to identify, prevent, detect, respond, and recover from cybersecurity threats. The most-recent audit was performed in 2022 over the Company s 2021 cybersecurity program. The audit results showed that FMC has a mature and robust cybersecurity program that is rated at or above peer industry benchmarks and also provided insight for areas of future improvement in risk mitigation and further program development. Management Oversight in Cybersecurity Governance FMC s senior management Operating Committee, which includes the Chief Executive Officer and all Company vice presidents, is responsible for review and oversight of the Company s cybersecurity programs and risk assessment as well as the strategic direction of the program to address evolving risks. Specifically, David Kotch, Vice President and Chief Information Officer, serves as management s expert in cybersecurity management. He has held various positions within the Company’s IT department, has an educational background in Information Systems, and contributes technical expertise to the Company s Operating Committee. He serves as a member of the Chemical Information Technology Center s CIO organization and the CIO Executive Summit. Mr. Kotch also belongs to various business associations, including industry and government associations, to ensure timely receipt of critical threat information as well as access resources useful in developing cost-effective security solutions to protect the Company’s personnel and information. Additionally, Andrew Sandifer, Executive Vice President and Chief Financial Officer, has completed continuing professional education courses covering the role of management and the board of directors in cybersecurity governance. Members of the management team are encouraged to engage in education opportunities related to cybersecurity. FMC has established a process to assess the nature, scope and timing of a cyber incident and communicate the facts of the incident to management and the board of directors and, if needed, investors. In the event of a cybersecurity incident, the incident response team, which is managed by IT personnel, is responsible for ensuring the Chief Executive Officer and Operating Committee are notified in a timely manner. For any cybersecurity incident, there will be a cross-functional review, including the IT, legal, and finance teams, to evaluate qualitative and quantitative factors related to the incident to determine if the impact of the event is material. Individuals from other departments may be involved in this review depending on the facts and circumstances of the incident. These individuals will be responsible for responding to the event and monitoring the impacts on the Company s operations, financial position, and results of operations. This team will also evaluate cyber incidents in the aggregate if related events occur. During the response and recovery related to a cyber incident, this team will meet daily or weekly depending on the severity of the event and continuously evaluate the nature, scope, and timing of the event. Members of the senior management Operating Committee, including the Chief Information Officer, Chief Financial Officer, Chief Accounting Officer, and General Counsel will be briefed as to the facts and circumstances of a cyber incident and determine if the event is considered material to the business. If such determination is made, the matter will be escalated to Board of Directors. For material incidents, the Company will provide information regarding the nature and scope of the incident to investors in compliance with SEC regulations. Throughout this process and the recovery following an incident, the Company is focused on considering the ever-changing facts and circumstances of the event and remaining as transparent with the investment community as possible. During 2023, FMC did not directly experience a cybersecurity breach in any FMC system. During 2023, we did receive notification of cybersecurity breaches affecting third-party vendors, but none were material in nature for FMC. 19 Table of Contents Board of Directors Oversight in Cybersecurity Governance FMC s Board of Directors oversees the Company s cybersecurity program primarily through its Audit Committee, which is comprised of independent directors whose prior work experience provides them with insights as to potential cybersecurity risks and mitigation strategies. Company executives along with external and internal cybersecurity experts update the Audit Committee at least quarterly on risks related to cybersecurity and the steps taken to monitor and control risk exposure. Additionally, the results of periodic audits performed on the Company s cybersecurity programs, described above, are communicated to the Audit Committee upon completion. In addition to the routine updates provided to the Audit Committee, FMC has an established policy for communication of cybersecurity incidents with the Board of Directors and, if material, the investor community. Refer to the discussion above for further details of this policy.

Company Information