Page last updated on February 4, 2025
UNION CARBIDE CORP /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-04 07:45:55 EST.
Filings
10-K filed on 2025-02-04
UNION CARBIDE CORP /NEW/ filed a 10-K at 2025-02-04 07:45:55 EST
Accession Number: 0000029915-25-000003
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. PANDEMIC - RELATED RISKS Public Health Crisis: A public health crisis or global outbreak of disease could have a negative effect on the Corporation’s manufacturing operations, supply chain and workforce, creating disruptions that could have a substantial negative impact on the Corporation’s results of operations, financial condition and cash flows. UCC sells substantially all of its products to TDCC in order to simplify the worldwide customer interface process and, as a result, the Corporation is subject to many of the same global risk factors facing TDCC, including those that may be presented by a public health crisis. A public health crisis, including a pandemic similar in nature to coronavirus disease 2019, could impact all geographic regions where UCC’s products are produced and sold. The global, regional and local spread of a public health crisis could result in, and in the past has resulted in, significant global mitigation measures, including government-directed quarantines, social distancing and shelter-in-place mandates, travel restrictions and/or bans, mask and vaccination mandates, restrictions on large gatherings and restricted access to certain corporate facilities and manufacturing sites. Business disruptions and market volatility resulting from a public health crisis could have a substantial negative impact on the Corporation’s results of operations, financial condition and cash flows. The adverse impact of a pandemic could include, and in the past has included, without limitation, a decrease in demand for certain of the Corporation’s products; price declines; reduced profitability; supply chain disruptions impeding the Corporation’s ability to ship and/or receive product; temporary idling or permanent closure of select manufacturing facilities and/or manufacturing assets; asset impairment charges; interruptions or limitations to manufacturing operations imposed by local, state or federal governments; reduced market liquidity and increased borrowing costs; workforce absenteeism and distraction; labor shortages; increased cybersecurity risk and data accessibility disruptions due to remote working arrangements; and workforce reductions. Additional risks may include, but are not limited to: shortages of key raw materials; additional asset impairment charges; increased obligations related to the Corporation’s pension and other postretirement benefit plans; and tax valuation allowances and may also have the effect of heightening many of the other risks described in this “Risk Factors” section. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy Dow has processes in place to identify, assess and monitor material risks from cybersecurity threats, including the material risks of the Corporation. These processes are part of Dow’s overall enterprise risk management process and have been embedded in Dow’s operating procedures, internal controls and information systems. Dow’s comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”) for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. In addition, Dow maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy. Dow has comprehensive processes to manage cybersecurity risks when engaging with third-party service providers, including reviewing questionnaires and independent quantitative scores of the vendor’s cyber hygiene, maintaining robust controls to address and mitigate significant risks that may arise, and performing ongoing assessments and reviews throughout the duration of the engagement. Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to Dow’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to Dow’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Dow company-wide communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of Dow’s information system resources or violation of Dow’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure. Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. Dow also engages external firms to measure Dow’s NIST CSF maturity level. As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Corporation, including its business strategy, results of operations or financial condition. Although the Corporation has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Corporation can be found in Item 1A. Risk Factors. Governance Role of Management Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow’s Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, including that of the Corporation, with oversight by the Dow Inc. Audit Committee. Dow’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation. Dow management responsible for developing and executing its cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in Dow’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager. Dow’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cyber incidents. The CSOC evaluates each incident in terms of its impact on Dow’s and the Corporation’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support Dow through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to Dow’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness. Role of the Corporation’s Board The Corporation’s Board of Directors (“Board”) recognizes the importance of cybersecurity in safeguarding the Corporation’s sensitive data. The Board is responsible for overseeing overall risk management for the Corporation, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk. The Corporation’s Board receives information and updates periodically with respect to the effectiveness of Dow’s cybersecurity and information security framework, data privacy and risk management, which includes that of the Corporation. The Board also receives updates on material incidents relating to information systems security, including cybersecurity incidents.
ITEM 1C. CYBERSECURITY Risk Management and Strategy Dow has processes in place to identify, assess and monitor material risks from cybersecurity threats, including the material risks of the Corporation. These processes are part of Dow’s overall enterprise risk management process and have been embedded in Dow’s operating procedures, internal controls and information systems. Dow’s comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”) for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. In addition, Dow maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy. Dow has comprehensive processes to manage cybersecurity risks when engaging with third-party service providers, including reviewing questionnaires and independent quantitative scores of the vendor’s cyber hygiene, maintaining robust controls to address and mitigate significant risks that may arise, and performing ongoing assessments and reviews throughout the duration of the engagement. Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to Dow’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to Dow’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Dow company-wide communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of Dow’s information system resources or violation of Dow’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure. Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. Dow also engages external firms to measure Dow’s NIST CSF maturity level. As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Corporation, including its business strategy, results of operations or financial condition. Although the Corporation has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Corporation can be found in Item 1A. Risk Factors. Governance Role of Management Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow’s Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, including that of the Corporation, with oversight by the Dow Inc. Audit Committee. Dow’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation. Dow management responsible for developing and executing its cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in Dow’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager. Dow’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cyber incidents. The CSOC evaluates each incident in terms of its impact on Dow’s and the Corporation’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support Dow through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to Dow’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness. Role of the Corporation’s Board The Corporation’s Board of Directors (“Board”) recognizes the importance of cybersecurity in safeguarding the Corporation’s sensitive data. The Board is responsible for overseeing overall risk management for the Corporation, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk. The Corporation’s Board receives information and updates periodically with respect to the effectiveness of Dow’s cybersecurity and information security framework, data privacy and risk management, which includes that of the Corporation. The Board also receives updates on material incidents relating to information systems security, including cybersecurity incidents.
Company Information
| Name | UNION CARBIDE CORP /NEW/ |
| CIK | 0000100790 |
| SIC Description | Industrial Organic Chemicals |
| Ticker | |
| Website | |
| Category | Non-accelerated filer |
| Fiscal Year End | December 30 |