CABOT CORP 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

CABOT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 15:56:00 EST.

Filings

10-K filed on 2024-11-20

CABOT CORP filed a 10-K at 2024-11-20 15:56:00 EST
Accession Number: 0000950170-24-129210

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As noted in Part I, Item IA, Risk Factors, Cabot recognizes that the threat of cybersecurity breaches may create significant risks for the Company. Accordingly, we have taken measures to protect Company data and the continuing operation of our information technology and communications systems. Our cybersecurity program includes information technology (“IT”) policies and standards and an IT risk management program. Our cybersecurity risk management program leverages standards established by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which provides guidance to organizations on how to identify, prevent, detect, respond and recover from cybersecurity threats. Further, cybersecurity risk is integrated into our enterprise risk management (“ERM”) approach and is among the core enterprise risks that are subject to oversight by the Board, as described below, acting through the Audit Committee. We use several tools and controls designed to manage IT risk, including, but not limited to, controls for the management of privileged access, anti-malware tools, simulated email phishing attacks, and other email security tools intended to detect and prevent intrusions as well as monitor risks. Cabot employees have access to formal IT policies that define and clarify expected behaviors with respect to IT resources in various areas. We have a Cyber Incident Response Plan, which establishes procedures to prepare for and respond to a variety of cyber incidents, and engage in response planning, simulations, trainings, tabletop exercises, and other efforts to prepare for any incidents should they occur. We periodically engage assessors, consultants, auditors and other third parties to assess our cybersecurity programs, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. These assessments provide insight for areas of future improvement in risk mitigation and further program development. In addition, we rely on third parties for various business functions and oversee such third-party service providers by conducting vendor diligence upon onboarding as well as ongoing monitoring. Governance and Oversight Management Oversight in Cybersecurity Governance Cabot’s Cyber Risk Steering Committee is responsible for review and oversight of the Company’s cybersecurity programs and risk assessment as well as the strategic direction of the program to address evolving risks. Bart Kalkstein, an Executive Vice President of Cabot and a member of Cabot’s Management Executive Committee, is a member of the Steering Committee and has executive responsibility for Digital matters. He is supported by our Chief Digital Information Officer (the “CDIO”) and our Senior Director of Digital Security (the “SDDS”). The SDDS is the member of the Company’s management principally responsible for overseeing the Company’s cybersecurity risk management programs in partnership with business and functional leaders across the Company as well as a managed security service provider that provides threat intelligence, global infrastructure monitoring and threat detection and response to cyber events. The SDDS has held various positions within Cabot’s IT department over her approximately 30-year tenure with the Company, has an educational background in Information Systems and contributes technical expertise to the Company’s management team. 24 We have established a process to assess the nature, scope and timing of a cyber incident and, as appropriate, communicate the facts of an incident to management and the Board of Directors and, as appropriate, investors. In the event of a cybersecurity incident, the incident response team is responsible for notifying senior management in a timely manner, to the extent that the facts and circumstances of a particular incident warrant such notification. If it is determined that the event is material to the Company, the matter will be escalated to the Board. For material incidents, the Company will provide information regarding the nature and scope of the incident to investors in compliance with SEC regulations. Board of Directors Oversight in Cybersecurity Governance Cabot’s Board of Directors oversees the Company’s cybersecurity program primarily through its Audit Committee, which comprises independent directors. Company executives along with external and internal cybersecurity personnel update the Audit Committee at least quarterly on risks related to cybersecurity and the steps taken to monitor and control risk exposure. Additionally, the results of periodic assessments of the Company’s cybersecurity programs, described above, are communicated to the Audit Committee upon completion. Relevant matters are also reviewed with the full Board on at least an annual basis. As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of our or our third-party service providers’ information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive or business harm or damage to our brand, lost sales, physical damage to facilities, physical harm to individuals, reduced demand, loss of intellectual property rights, significant costs or the Company being subject to government investigations, litigation, fines or damages. For additional information, see Part I, Item 1A, “Risk Factors-Operational Risks-Information technology systems failures, data security breaches, cybersecurity attacks or network disruptions have harmed us in the past and could compromise our information, disrupt our operations and expose us to liability, which may adversely impact our operations.” 25

Company Information