OLIN Corp 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

OLIN Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 09:49:06 EST.

Filings

10-K filed on 2026-02-20

OLIN Corp filed a 10-K at 2026-02-20 09:49:06 EST
Accession Number: 0000074303-26-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have an enterprise-wide cybersecurity risk management approach designed to identify, protect, detect, respond to and manage cybersecurity and information technology risks and threats. This program is integrated into our enterprise risk management (ERM) framework, and the underlying controls leverage recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. The Information Technology organization is led by the Company's Chief Information Officer (CIO), who is responsible for cybersecurity and risk management, with oversight by the Audit Committee. The cybersecurity program is overseen by the Company's Chief Information Security Officer (CISO) and supporting cybersecurity leadership, who lead teams to protect and preserve the confidentiality, integrity and continued availability of all information owned by, or in the care of, Olin against cybersecurity threats and maintains a comprehensive set of policies and standards applicable to our global organization. The CIO and CISO, along with the leadership team, possess many years of relevant Information Technology, cybersecurity and risk management experience in the manufacturing and defense sectors with Olin or other large public companies. Educational backgrounds include advanced degrees and certifications, such as Certified Information Systems Security Professional. We consult with multiple third-party firms to assess and review these policies and standards and regularly update them for contemporary best practices. Our Information Security team monitors alerts and meets to discuss threat levels, trends and remediation tactics. Every identified cyber event is evaluated, ranked by severity and prioritized for response and remediation in compliance with our global Security Incident Management Procedure. Significant events are evaluated for both quantitative and qualitative factors to determine materiality on a case-by-case basis, including, among other factors, potential privacy, operational, financial, or reputational impacts for the Company, and our customers, vendors, shareholders, or other external stakeholders. The Information Security team prepares a quarterly scorecard for senior management and the Audit Committee, summarizing cyber activity for the quarter and reporting on our remedial actions. While we have experienced typical cybersecurity incidents, such incidents to date have not materially affected the Company or our business strategy, results of operations, or financial condition. The Company regularly conducts penetration testing, both internally and by third parties, and conducts automated attacks simulating real-world cyber incidents. These tests and assessments are useful tools for maintaining a comprehensive cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. We continue to expand our cybersecurity risk mitigation strategies, which includes around-the-clock monitoring of our global network, using layered defenses and identifying and protecting critical assets, including our manufacturing facilities. The Information Security team conducts annual cybersecurity awareness training and quarterly email phishing tests and training for all employees. We rely on certain external service providers to assist in the management of the day-to-day operation of our business, operate elements of our manufacturing facilities, manage relationships with our employees, customers, and suppliers, fulfill customer orders, and maintain our financial, accounting, or other business records. The Information Security team maintains a third-party security program to identify, prioritize, assess, mitigate, and remediate our third-party risks; however, we also rely on our third-party vendors, suppliers, and other business partners to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. Cybersecurity risks are assessed when selecting our third-party service providers and reassessed periodically. We face a number of cybersecurity risks in connection with our business. Failure of any one or more than one of our information technology systems could be caused by internal or external events or parties, such as incursions by intruders or hackers, computer viruses, cyber-attacks, failures in hardware or software, or power or telecommunication fluctuations or failures. For more information about the cybersecurity risks we face, see Item 1A - "Risk Factors." Cybersecurity Governance Cybersecurity is an important component of our ERM framework and an area of focus for both our Board of Directors and management team. While management holds primary responsibility for our Company's risk management strategy, our Board of Directors, with the support of its committees, oversees the process to ensure that the framework designed, implemented and maintained by management is functioning as intended and adapts, when necessary, to our evolving strategy and emerging risks. The Board of Director's Audit Committee is delegated responsibility for oversight of our ERM process, including our strategies to identify, detect and respond to cybersecurity and information technology risks and threats. Our Audit Committee's process includes an annual review of our ERM program to ensure appropriate practices are in place to monitor and mitigate identified risks on an ongoing basis. Additionally, our CIO meets with the Audit Committee or Board of Directors each quarter to discuss cyber hygiene, incidents (as needed), and provide updates on our enterprise-wide cybersecurity risks and strategies, including steps taken to mitigate and manage the same. To aid the Board of Directors with its cybersecurity and data privacy oversight responsibilities, the Board of Directors periodically hosts experts for presentations on current cyber topics, trends and best practices. In the event that a cybersecurity incident is determined to have, or is likely to have, a material impact on the Company, the CIO, in coordination with Olin's Chief Financial Officer, Chief Legal Officer or Chief Executive Officer will notify the Audit Committee and Board of Directors, following the Company's Crisis Management Plan and Procedures.

Company Information