ALBEMARLE CORP 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 12, 2025

ALBEMARLE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 17:09:12 EST.


10-K filed on 2025-02-12

ALBEMARLE CORP filed a 10-K at 2025-02-12 17:09:12 EST
Accession Number: 0000915913-25-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Albemarle recognizes the importance of maintaining the security and integrity of our information systems and the data we collect, process, and store. We have implemented a comprehensive cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework (“CSF”). As such, we map the CSF to corresponding legal, regulatory, and industry security practices, which guide our global policies and procedures to prevent, identify, protect, detect, respond, and recover from cybersecurity threats and incidents. Our cybersecurity program is managed by our Cybersecurity Director and is overseen by our Chief Information Officer (“CIO”), who assumes responsibility for the Chief Information Security Officer (“CISO”) role. The cybersecurity program is integrated into our overall enterprise risk management framework and thus is factored into our long-term strategy and business continuity plans. Our Cybersecurity Director brings extensive experience in cybersecurity, including service in U.S. Army Cyber Operations, and has led initiatives in threat management, risk mitigation, and security architecture to strengthen enterprise resilience. His expertise in incident response and security strategy ensures our cybersecurity program remains aligned with industry best practices and evolving cyber threats. The Audit and Finance Committee (“AFC”) of our Board of Directors oversees information security matters and the Company’s cybersecurity program. Our CIO reports on cybersecurity related matters, including the status of ongoing initiatives, incident reporting, compliance with regulatory requirements and industry standards, and emerging threats in global cybersecurity, on an as needed basis, but at least annually, to the AFC and executive leadership. The AFC and executive leadership offer guidance on certain matters and approval for material initiatives. In addition, the full Board of Directors is updated on cybersecurity matters as needed depending on the nature and materiality of a cybersecurity matter. All information assets are inventoried, classified, prioritized, and protected based on the respective risk, with appropriate cybersecurity controls applied to each. We have also implemented and maintain a documents management program which governs the classification, protection, and use of sensitive company data within the Albemarle environment. All business-requested technologies and third-party service providers must successfully complete a thorough cybersecurity and contract review before being approved for use, after which they are continuously monitored as part of our supply chain risk management program . Cybersecurity risks and potential costs are evaluated as a part of business operations, and the respective business impacts are continuously assessed to address evolving threats and vulnerabilities. We engage a third-party global firm to conduct an annual cyber assessment using the CSF, and we engage external vendors to validate our security controls and procedures through periodic penetration tests. 30 Albemarle Corporation and Subsidiaries We follow a zero-trust architecture approach and enforce the use of multi-factor authentication and virtual private network technologies for all external access to provide secure support for our remote workers. Information security training is part of our compliance program, and includes mandatory security training for new hires, mandatory yearly security training for all staff, and periodic phishing tests to raise awareness and response actions. Our team of cybersecurity professionals are responsible for maintaining a global information systems environment that focuses on least privilege, least functionality, and network segmentation throughout the landscape using a layered approach (i.e. a defense-in-depth strategy). This includes a security operations center and cybersecurity analysts who provide 24/7 network monitoring. As further discussed in Item 1A. Risk Factors, a material cybersecurity incident could significantly increase the cost of doing business or otherwise adversely impact our financial results and condition. To date we have not had a cybersecurity incident that has had, or is reasonably likely to have, a material effect on our financial results or business operations ; however, we monitor and work to continuously improve our cybersecurity program as threats become more frequent and sophisticated. Our manufacturing sites have formal business continuity plans that address site-specific priority responses, each determined through business impact analyses that integrate within our overall corporate crisis management response plan and enterprise risk management program. We conduct an annual incident response tabletop exercise as well as periodic exercises of formalized site business continuity plans. Lessons learned from the outcomes of these exercises are then assessed and used to inform and improve our formal cyber response procedures and business continuity plans. In the event of, or the reasonably likely threat of, a cybersecurity incident, our cyber response procedures outline the tasks and timeline for the escalation of the incident to key members of the organization, including the information technology team, business unit management, and Albemarle executives and other key management. These individuals would participate in a special event management plan activation meeting to gain an understanding as to how the incident was detected and analysis of the incident. Each member of management involved would be responsible for assessing the risks, impact, and necessary response as determined by their role. The procedures include key considerations each manager should consider in their assessment as well as their responsibility for involvement in remediation efforts and post-incident strategic reviews. Specific legal and executive role procedures include the assessment of necessary internal communication and external reporting. The Chief Executive Officer, with the support of other executive officers, is responsible for approval of incident reporting and informing and updating the Board of Directors .

Company Information

SIC DescriptionPlastic Materials, Synth Resins & Nonvulcan Elastomers
CategoryLarge accelerated filer
Fiscal Year EndDecember 30