Air Products & Chemicals, Inc. 10-K Cybersecurity GRC - 2024-11-21

Page last updated on November 21, 2024

Air Products & Chemicals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-21 13:57:11 EST.

Filings

10-K filed on 2024-11-21

Air Products & Chemicals, Inc. filed a 10-K at 2024-11-21 13:57:11 EST
Accession Number: 0000002969-24-000056

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and oversight are of utmost importance to Air Products and are necessary to maintain the trust and confidence of our customers, employees, and other stakeholders. The Company has implemented a thorough cybersecurity program for assessing, identifying, and managing material risks from cybersecurity threats as a fully integrated component of the Company’s overall Enterprise Risk Management (“ERM”). In fiscal year 2024, we achieved our primary cybersecurity risk management objective of having no material cybersecurity incidents. Over the past three years, we have not experienced any material information security breaches and have not incurred material expenses from cybersecurity incidents, including those arising at third parties. Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is designed as a holistic program focused on predicting, preventing, detecting, and responding to cybersecurity threats across enterprise systems as well as the operational technology systems for our plants and pipelines. The Company regularly assesses industry best practices, frameworks, and standards, and leverages them to advance its cybersecurity risk management maturity. These frameworks include the International Society of Automation and the International Electrotechnical Commission standards for industrial automation, as well as the National Institute of Standards and Technology. Our cybersecurity program includes procedures for the detection, analysis, and mitigation of cybersecurity incidents. Our cybersecurity incident response includes criteria for prioritization and escalation based on severity under an established incident prioritization framework. Incidents are reported internally to senior management, the Board or the Board’s Audit and Finance Committee, as appropriate based on the potential severity of the incident. Incidents that are elevated based on their potential severity, including any event that is potentially material, are promptly escalated and analyzed for potential external reporting requirements. As part of the Company’s information security training program, all employees participate in various cybersecurity awareness activities, including an annual Information Security Awareness training module and monthly simulated phishing events. We leverage third-party service partners to expand the capabilities of our cybersecurity program. This may include testing of the program’s protection measures as well as services for incident detection, investigation, and recovery. We also leverage third-party service providers to conduct tabletop exercises and perform assessments against cybersecurity frameworks. Our suppliers and third-party service providers are subject to cybersecurity obligations. Prior to engagement, we assess the cybersecurity posture of third-party service providers who store, process, or transmit Air Products’ information. The Company maintains policies and procedures for preventive controls for enterprise applications including, but not limited to, access controls and change management. In addition, we maintain relevant business continuity and disaster recovery plans as part of our overall cybersecurity risk management strategy. For a discussion of risks related to potential cybersecurity incidents, please refer to Item 1A, Risk Factors , of this Annual Report on Form 10-K. Cybersecurity Governance Our Board of Directors recognizes the importance of cybersecurity and has oversight responsibility for cybersecurity risks. The Board of Directors receives updates on our cybersecurity program at least quarterly from our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”). In addition, the Board’s Audit and Finance Committee, which is composed entirely of independent directors, receives quarterly reports regarding our ERM program and top risks, including those relating to cybersecurity. Our CIO is a member of the Company’s Management Board and is responsible for the administration of the cybersecurity risk management program. Prior to joining the company in 2020, our CIO spent 24 years in the aerospace and defense industry and held multiple senior leadership roles within digital technology, leading large global organizations in all aspects of digital technology, including cybersecurity risk management. Under the direction of our CIO, our CISO leads the execution of the cybersecurity risk management program for our enterprise and operational technology systems. Our CISO is a seasoned cybersecurity executive with over 30 years of broad digital technology experience at Air Products. Our CISO has experience in leading global enterprise and operational technology cybersecurity programs, maintains a Certified Information Systems Security Professional certification, and has completed CISO executive education at Carnegie Mellon University. The Information Security leadership team that reports to the CISO is composed of four security leaders with over 80 years of combined experience and multiple professional certifications. Our CISO has announced his intention to retire at the end of December 2024. The Company expects to appoint a successor in the near future.

Company Information