Koppers Holdings Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Koppers Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 12:09:22 EST.

Filings

10-K filed on 2024-02-28

Koppers Holdings Inc. filed an 10-K at 2024-02-28 12:09:22 EST
Accession Number: 0000950170-24-021787

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYB ERSECURITY We are committed to ensuring the confidentiality, integrity and availability of data that is owned and managed by us. We are also committed to protecting confidential information that is shared with us by our business partners. The cybersecurity program at Koppers has been designed based on an industry standard cybersecurity framework and is aligned with local and regional compliance requirements. The cybersecurity program is reviewed periodically by an independent third-party, and the results are shared with the board of directors. Components of the cybersecurity program are guided by the results of the independent third-party assessment. The cybersecurity program is part of the larger Enterprise Risk Management (ERM) program which is reviewed by management and the board of directors on a periodic basis. Compliance with the cybersecurity program is ensured via policies, procedures, training, and systems. 24 Koppers Holdings Inc. 2023 Annual Report Information security policies at Koppers lay out the guardrails that ensure compliance with the program. Examples of guardrails set within the information security policies at Koppers include application of the principle of least privilege when granting access (the principle that a user or entity should only have access to the specific data, resources and applications needed to complete a required task), logging and monitoring activity of privileged accounts, authorized physical and logical access to information technology (IT) systems, and requiring maintenance of confidentiality of non-public information. Standard operating procedures (SOPs) ensure accuracy and completeness of various IT tasks being performed throughout the organization. SOPs include incorporating data processing agreements in contracts, commissioning and decommissioning of IT systems, granting role-based user access, patch management, and change management. Training is conducted regularly for all employees who interact with Koppers IT systems. Specialized training is also conducted for employees who deal with sensitive data. Security systems have been deployed to manage vulnerabilities within the IT environment, and periodic penetration tests validate the Koppers security posture. IT systems are protected using various tools like multi-factor authentication (MFA), virtual private network (VPN), firewalls, end-point protection, spam and web filters, mobile device management, and privileged access management. A third-party monitoring service aids in detecting any threats or anomalies with the network. A multi-department incident response plan has been developed to facilitate a swift response in the event of a cybersecurity incident, which includes notifying the appropriate regulatory agencies. IT systems critical to the business operations have been identified and plans have been developed for a swift recovery of IT services in the event of a service failure. We utilize various IT cloud service providers. Annual security reviews of all service providers that provide critical service to the business are conducted. A cybersecurity risk assessment is conducted prior to contracting with a new IT cloud service provider providing high-impact services. The Strategy and Risk Committee of the board of directors is composed of board members with diverse experience that allows them to oversee cybersecurity risks effectively. We have a Vice President, Information Technology with over 20 years of experience at Koppers in various positions of increasing responsibility within the IT function, working on initiatives related to enterprise resource planning systems, mobile computing, data analytics, SOX compliance, and cybersecurity. Prior to working at Koppers, the Vice President, Information Technology worked at a global technology consulting company implementing software solutions. This position plays a pivotal role in informing management, the Strategy and Risk Committee and the board of directors on cybersecurity risks. An update on the cybersecurity program is provided to the board of directors quarterly. As of the date of this report, we have not experienced a material information security incident. 25 Koppers Holdings Inc. 2023 Annual Report

Company Information