ASHLAND INC. 10-K Cybersecurity GRC - 2024-11-18

Page last updated on November 18, 2024

ASHLAND INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-18 16:33:00 EST.

Filings

10-K filed on 2024-11-18

ASHLAND INC. filed a 10-K at 2024-11-18 16:33:00 EST
Accession Number: 0000950170-24-128009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Ashland recognizes the importance of cybersecurity in safeguarding sensitive information and maintaining operational integrity. To that end, Ashland maintains an information security program as part of its overall Enterprise Risk Management (“ERM”) program. The Company’s information security program includes an incident response plan, which has been reviewed by third-party consultants and aligns with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework 2.0. The information security program, led by the Company’s Vice President of Cyber Security, is designed to provide a framework for assessing, identifying, managing, mitigating and responding to cybersecurity threats and incidents and to facilitate cross-functional coordination within Ashland. Ashland’s information security program also includes policies and processes that are designed to provide visibility and information about the identification, assessment, and management of critical risks and management’s risk mitigation strategies. This includes the use of a 24/7 Security Operations Center as well as an in-house, dedicated threat hunting team. Additional safeguards also include employee training and awareness programs around phishing, malware, and other cybersecurity risks. In addition, the Company conducts periodic testing of software, hardware, defensive capabilities, and other information security systems and regularly engages consultants and other expert third parties to assist the Company in the identification and assessment of risks. 22 Ashland also maintains a similar risk-based approach to its third-party vendor management program including identifying and overseeing cybersecurity risks that such third parties may present. As part of this program, the Company, imposes additional scrutiny for vendors that may handle personally identifiable information (PII) data or trade secrets. As of the date of this Annual Report on Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect its business, results of operations or financial condition. However, despite the Company’s best efforts, it cannot eliminate all risks from cybersecurity threats or provide assurances that undetected cybersecurity incidents have not occurred. See the “Risk Factors” in Item 1A of this Annual Report on Form 10-K for further information. Governance Ashland’s information security program is led by the Company’s Vice President of Cyber Security who is a Certified Information Systems Security Professional (CISSP) with more than 30 years of experience in information technology and 12 years of experience serving in a chief information security officer role or top executive leader in cyber. Our Vice President of Cyber Security is primarily responsible for integrating cybersecurity risk considerations into the Company’s overall risk management strategy. The Vice President of Cyber Security also holds a master’s in business administration and a Bachelor of Science degree in Computer Science and Engineering. In addition, other members of the Company’s information security team also have significant experience in information security. As noted above, management of Ashland’s cybersecurity risks is part of the Company’s overall ERM program, which is overseen by the Board. The Board’s Audit Committee has primary responsibility for the oversight of the Company’s information and cybersecurity risks and programs established to manage such risks. The Audit Committee fulfills this oversight responsibility through receiving regular (and as needed) reports and updates from the Company’s Vice President of Cyber Security and Ashland’s Board also receives periodic reports updates from the Vice President of Cyber Security and the Audit Committee regarding information and cybersecurity matters.

Company Information