Page last updated on February 4, 2025
DOW INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-04 07:57:08 EST.
Filings
10-K filed on 2025-02-04
DOW INC. filed a 10-K at 2025-02-04 07:57:08 EST
Accession Number: 0001751788-25-000012
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Goodwill: An impairment of goodwill could negatively impact the Company’s financial results. At least annually, the Company assesses goodwill for impairment. If testing indicates that goodwill is impaired, the carrying value is written down based on fair value with a charge against earnings. Where the Company utilizes a discounted cash flow methodology in determining fair value, continued weak demand for a specific product line or business could result in an impairment. Accordingly, any determination requiring the write-off of a significant portion of goodwill could negatively impact the Company’s results of operations. See Note 12 to the Consolidated Financial Statements for additional information regarding the Company’s goodwill impairment testing. Operational Event: A significant operational event could negatively impact the Company’s results of operations. As a diversified chemical manufacturing company, the Company’s operations at each site, including maintenance of its facilities, the transportation of supplies and products, cyberattacks, the Company’s limited utilization of AI in its operations, pandemics and other public health-related events or severe weather conditions and other natural phenomena (such as freezing, drought, hurricanes, earthquakes, tsunamis, floods, etc.) could result in an unplanned or unintended event that could be significant in scale and could negatively impact operations, neighbors or the public at large, which could have a negative impact on the Company’s results of operations. Major hurricanes and other weather-related events have caused significant disruption in the Company’s operations on the U.S. Gulf Coast, logistics across the region, and the supply of certain raw materials, which had an adverse impact on volume and cost for some of its products. Due to the Company’s substantial presence on the U.S. Gulf Coast, similar severe weather conditions or other natural phenomena in the future could negatively impact the Company’s results of operations. Other non-weather-related unplanned events have also caused disruptions in the Company’s operations at various sites. While the Company has processes in place to minimize the risks and impacts of such events, such unplanned future events could negatively impact the Company’s results of operations. Raw Materials: Availability of purchased feedstock and energy, and the volatility of these costs, impact Dow’s operating costs and add variability to earnings. Purchased feedstock and energy costs account for a substantial portion of the Company’s total production costs and operating expenses. The Company purchases hydrocarbon-based raw materials including ethane, propane, butane, naphtha and condensate as feedstocks and purchases certain monomers, primarily ethylene and propylene, to supplement internal production, as well as other raw materials. The Company also purchases natural gas, primarily to generate electricity, electric power to supplement internal generation, and steam. Feedstock and energy costs generally follow price trends in crude oil and natural gas, which are sometimes volatile. Power prices often follow general energy trends, and are additionally subject to short-term surfeits and shortages related to, for example, intermittent wind and solar generation, and power generation and transmission outages. While the Company uses its feedstock flexibility and financial and physical hedging programs to help mitigate feedstock cost increases, the Company is not always able to immediately raise selling prices. Ultimately, the ability to pass on underlying cost increases is dependent on market conditions. Conversely, when feedstock and energy costs decline, selling prices generally decline as well. As a result, volatility in these costs could impact the Company’s results of operations. While the Company expects abundant and cost-advantaged supplies of natural gas liquids (“NGLs”) in the United States to persist for the foreseeable future, if NGLs become significantly less advantaged than crude oil-based feedstocks, it could have a negative impact on the Company’s results of operations and future investments. Also, if the Company’s key suppliers of feedstock and energy are unable to provide the raw materials required for production, it could have a negative impact on the Company’s results of operations. PANDEMIC - RELATED RISKS Public Health Crisis: A public health crisis or global outbreak of disease could have a negative effect on the Company’s manufacturing operations, supply chain and workforce, creating business disruptions that could have a substantial negative impact on the Company’s results of operations, financial condition and cash flows. A public health crisis, including a pandemic similar in nature to coronavirus disease 2019, could impact all geographic regions where Dow products are produced and sold. The global, regional and local spread of a public health crisis could result in, and in the past has resulted in, significant global mitigation measures, including government-directed quarantines, social distancing and shelter-in-place mandates, travel restrictions and/or bans, mask and vaccination mandates, restrictions on large gatherings and restricted access to certain corporate facilities and manufacturing sites. Business disruptions and market volatility resulting from a public health crisis could have a substantial negative impact on the Company’s results of operations, financial condition and cash flows. The adverse impact of a pandemic could include, and in the past has included, without limitation, fluctuations in the Company’s stock price due to market volatility; a decrease in demand for certain Company products; price declines; reduced profitability; supply chain disruptions impeding the Company’s ability to ship and/or receive product; temporary idling or permanent closure of select manufacturing facilities and/or manufacturing assets; asset impairment charges; interruptions or limitations to manufacturing operations imposed by local, state or federal governments; reduced market liquidity and increased borrowing costs; workforce absenteeism and distraction; labor shortages; customer credit concerns; increased cybersecurity risk and data accessibility disruptions due to remote working arrangements; workforce reductions and fluctuations in foreign currency markets. Additional risks may include, but are not limited to: shortages of key raw materials; potential impairment in the carrying value of goodwill; additional asset impairment charges; increased obligations related to the Company’s pension and other postretirement benefit plans; and tax valuation allowance; and may also have the effect of heightening many of the other risks described in this “Risk Factors” section. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems. Dow’s comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”) for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy. Dow has comprehensive processes to manage cybersecurity risks when engaging with third-party service providers, including reviewing questionnaires and independent quantitative scores of the vendor’s cyber hygiene, maintaining robust controls to address and mitigate significant risks that may arise, and performing ongoing assessments and reviews throughout the duration of the engagement. Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to the Company’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure. Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. The Company also engages external firms to measure Dow’s NIST CSF maturity level. As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Although the Company has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Company can be found in Item 1A. Risk Factors. Governance Role of Management Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow’s Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, with oversight by the Audit Committee of the Board. The Company’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation. The Company’s management responsible for developing and executing Dow’s cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager. The Company’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cybersecurity incidents. The CSOC evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support the Company through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to the Company’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness. Role of the Board Dow’s Board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk, at least annually. While the full Board is accountable for cybersecurity and AI risk management, the Board has delegated responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee of the Board. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders, including the Chief Information and Digital Officer and Chief Information Security Officer, with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee also reviews external firms’ assessments of the Company’s security posture and NIST CSF maturity level. Information made available to the Audit Committee is also made available to the full Board. The Audit Committee includes members with significant experience and/or expertise in technology or cybersecurity, including information systems.
ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems. Dow’s comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”) for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy. Dow has comprehensive processes to manage cybersecurity risks when engaging with third-party service providers, including reviewing questionnaires and independent quantitative scores of the vendor’s cyber hygiene, maintaining robust controls to address and mitigate significant risks that may arise, and performing ongoing assessments and reviews throughout the duration of the engagement. Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to the Company’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure. Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. The Company also engages external firms to measure Dow’s NIST CSF maturity level. As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Although the Company has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Company can be found in Item 1A. Risk Factors. Governance Role of Management Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow’s Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, with oversight by the Audit Committee of the Board. The Company’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation. The Company’s management responsible for developing and executing Dow’s cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager. The Company’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cybersecurity incidents. The CSOC evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support the Company through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to the Company’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness. Role of the Board Dow’s Board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk, at least annually. While the full Board is accountable for cybersecurity and AI risk management, the Board has delegated responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee of the Board. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders, including the Chief Information and Digital Officer and Chief Information Security Officer, with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee also reviews external firms’ assessments of the Company’s security posture and NIST CSF maturity level. Information made available to the Audit Committee is also made available to the full Board. The Audit Committee includes members with significant experience and/or expertise in technology or cybersecurity, including information systems.
Company Information
| Name | DOW INC. |
| CIK | 0001751788 |
| SIC Description | Plastic Materials, Synth Resins & Nonvulcan Elastomers |
| Ticker | DOW - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |