VALVOLINE INC 10-K Cybersecurity GRC - 2024-11-22

Page last updated on November 26, 2024

VALVOLINE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-22 17:20:19 EST.

Filings

10-K filed on 2024-11-22

VALVOLINE INC filed a 10-K at 2024-11-22 17:20:19 EST
Accession Number: 0001674910-24-000152

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Valvoline is committed to protecting information that is valuable to customers and critical to business operations from unauthorized access and disclosure by devoting significant resources to protecting information systems and data through investing in people, technology, and processes to protect data and systems against evolving cybersecurity threats. A cybersecurity program has been designed and implemented that is believed to reasonably manage risks from cybersecurity threats and enable the Company to prevent, monitor, identify, detect, investigate, respond to, mitigate, and report on threats and incidents. Cybersecurity governance Valvoline has adopted a cross-functional and multi-management level approach to assessing and managing risks arising from cybersecurity threats. The Audit Committee of the Board (the “Audit Committee”) oversees the Company’s enterprise risk management program. As part of this oversight, the Audit Committee has primary responsibility for overseeing risks related to cybersecurity, although the Board retains ultimate oversight over these risks. The Audit Committee reviews and discusses cybersecurity risks along with the Company’s cybersecurity programs and strategy with management. The Audit Committee receives reports and presentations from the Senior Vice President and Chief Technology Officer (“CTO”) and Senior Director of Information Security during bi-annual meetings, and as needed, on a range of topics including, but not limited to, the cybersecurity program and processes, information systems, business risk identification and mitigation strategies, strategic updates, operational matters, the evolving cybersecurity threat landscape, regulatory developments, and notable incidents or threats affecting the Company. 26 The CTO, who serves as the Chief Information Security Officer (“CISO”) for the Company, is the primary executive responsible for leading the Company’s cybersecurity risk management program and has over 25 years of experience in various technology-related roles, including responsibilities related to managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. The Company’s Computer Security Incident Response Team (“CSIRT”) has primary responsibility for monitoring and enacting the incident response program and is led by the Senior Director of Information Security who reports to the CTO. The CSIRT receives direction and guidance from various departments including operations, information technology, communications, legal, and human resources while being responsible for maintaining and operating incident response capabilities at Valvoline by collecting, aggregating, and analyzing detected alerts and events from computer systems across the enterprise. Valvoline’s CSIRT meets at least quarterly, and more frequently as appropriate, to review and discuss the Company’s cybersecurity program. The CSIRT has the authority and system entitlements to confiscate, isolate, or disconnect equipment; investigate suspicious activity; monitor usage; and disable system access in the proper execution of their duties. The CSIRT is responsible for declaring an incident and initiating escalation to the Incident Response Team (“IRT”). The IRT is responsible for coordinating incident response activities across functions and is comprised of cross-functional and multi-management level personnel including, but not limited to, the Senior Director of Information Security, CSIRT Manager, Chief Legal Officer, Chief Audit Executive, Privacy & Compliance Counsel, Chief Technology Officer, Head of Global Insurance, Director of Corporate Communications, Chief Financial Officer, Chief Operating Officer, Chief Human Resource Officer, and Head of Physical Security. The IRT is also responsible for reporting incidents, following Valvoline’s Information Security Incident Response Plan (“IRP”), in accordance with legal requirements, coordinating external communications, and setting information sharing restrictions. Other departments or individuals may be engaged according to the specific nature of the incident and will operate at the direction of the IRT. Valvoline’s Senior Director of Information Security is responsible for the implementation of, and amendments to, the IRP and supporting procedures. Risk management and strategy Valvoline has developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of critical systems and information in addition to a cybersecurity incident response plan based on the National Institute of Standards (“NIST”) Cybersecurity Framework (“CSF”). The program applies, where appropriate, to the Company’s internal and external information systems, applications, networks, and operations which includes scanning, testing, and assessments designed to identify risks from cybersecurity threats. Management across various functional teams administer the enterprise risk management program, which is designed to identify, assess, and manage top enterprise risks, including risks arising from cybersecurity threats. Valvoline continually evaluates and makes updates to the Company’s cybersecurity programs to align with regulatory requirements and industry best practices in order to keep company-wide training initiatives related to cybersecurity risks robust and up to date. The IRP was designed to comprehensively leverage capabilities throughout the Company and to provide a standardized framework for responding to cybersecurity incidents by coordinating an approach to investigate, contain, mitigate, fix vulnerabilities, determine legally required responses or notifications, and document cybersecurity incidents including reporting and escalating findings as appropriate. The CSIRT, being responsible for incident response, assembles the IRT and assigns responsibilities based on the circumstances of the information security incident. Valvoline employs a risk-based approach to secure access to networks, systems, and applications for business partners and vendors receiving access to the environments and data. Business partners and vendors with whom information is shared to conduct business are required to safeguard it by appropriate means, including elevated contractual commitments when appropriate. The Company provides cybersecurity training to team members during onboarding and regularly thereafter and deploy technologies to automate and enhance operational security capabilities. In addition, Valvoline also uses third-party managed security services to augment the cybersecurity team’s capabilities. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including the business strategy, results of operations or financial condition, and management does not believe that such risks are reasonably likely to have such an effect over the long term. 27 However, due to evolving cybersecurity threats, and despite security measures taken, it may not be possible to anticipate, prevent, and stop future cybersecurity incidents, including attacks on information systems and data or those of relevant business partners. Additional information on cybersecurity risks identified is discussed in Item 1A of Part I, “Risk Factors”, which should be read in conjunction with this Item 1C. Cybersecurity.
Item 1C. Cybersecurity.

Company Information