Ecovyst Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Ecovyst Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:02:41 EST.

Filings

10-K filed on 2024-02-29

Ecovyst Inc. filed an 10-K at 2024-02-29 16:02:41 EST
Accession Number: 0001708035-24-000070

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy The Company has adopted processes designed to identify, assess and manage material risks from cybersecurity threats, which are integrated into the Company s overall risk management systems and processes. Those processes include response to and an assessment of internal and external threats to the security, confidentiality, integrity and availability of our data and information systems, along with other material risks to our operations. The Company references the National Institute of Standards and Technology Cybersecurity Framework to help identify, assess, and manage cybersecurity risks and has adopted and tested a formal cybersecurity incident response plan. As part of our risk management process, the Company also engages third-party providers to conduct periodic internal and external penetration testing and maturity assessments. The Company stores data on premise and in cloud environments, with security appropriate to the data involved and has adopted controls around, among other things, access and acceptable use, backup and recovery and vendor risk assessment. Our cybersecurity program is managed by the Cyber Incident Response Team (the CIRT ), which is led by the Global IT Director, System Infrastructure Manager and the Network Infrastructure Manager, each with over 20 years of experience in IT. The CIRT serves as the core team responsible for managing the enterprise-wide cybersecurity policy, maintenance and compliance across all platforms. The CIRT is responsible for the detection and initial assessment of potential cybersecurity threats and incidents. The CIRT classifies detected cyber incidents to allow prioritization, response and escalation. Incidents are documented for internal reporting processes and regularly shared with senior management. In the event of a potential cybersecurity incident, the CIRT will conduct an assessment to determine the nature and scope of the incident and manages the incident in accordance with our incident response plan until the incident is contained and resolved. The CIRT will document findings and make them available to the Disclosure Committee, which includes cross functional senior management representation from information technology, legal, finance, investor relations and business segments. The Disclosure Committee, in conjunction with third-party experts, including outside legal counsel, is responsible for assessing the materiality of any cybersecurity incident and coordinating external communications and disclosures, including with the Securities and Exchange Commission. On a quarterly basis, our employees, contractors, and other users of the Company s systems and networks are required to take cybersecurity training. The training is designed to provide employees and contractors with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. These trainings are administered through a collaboration with third-party services and systems and address various topics, including how to handle sensitive and personal information, physical security of intellectual property, how to identify phishing attempts, reducing our risk to being phished and how to improve cybersecurity intelligence while working from home. 39 As of December 31, 2023, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition, although we may be materially affected in the future by such risks or future material incidents. See Risk Factors Risks Related to Our Business Operations Disruption, failure or cyber security breaches affecting or targeting computers and infrastructure used by us or our business partners may adversely impact our business and operations for additional information regarding cybersecurity risks. Governance Roles and Responsibilities Cybersecurity is an important part of our risk management processes and an area of focus for Ecovyst s management and Board of Directors. We continue to invest in cybersecurity and the resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure and the information they contain. Our Board is actively involved in the assessment, oversight and management of the material risks that could affect the Company. The Board carries out its risk oversight and management responsibilities by monitoring risk directly as a full Board and, where appropriate, through its committees. The Board has delegated to the Audit Committee the responsibility to oversee the integrity of the Company s information technology and cybersecurity risks and to assess the risks and incidents relating to cybersecurity threats. While our Board and Audit Committee oversee cybersecurity risk, management, through the CIRT, is responsible for the implementation and management of cybersecurity risk management systems and processes and for the communication of incidents to senior management and the Audit Committee. The CIRT meets with the CEO and other members of our senior management on a quarterly basis and meets with the Audit Committee at least annually. Additionally, the Audit Committee regularly meets with members of the Company s internal audit function to discuss risk management activities, compliance, best practices, and other related matters.

Company Information