Ingevity Corp 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

Ingevity Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:18:55 EST.

Filings

10-K filed on 2025-02-19

Ingevity Corp filed a 10-K at 2025-02-19 16:18:55 EST
Accession Number: 0001653477-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY At Ingevity, we recognize the paramount importance of cybersecurity in safeguarding sensitive information. We align with industry standards, including the ISO 27001 information security framework, for which we became certified in 2024. Our comprehensive cybersecurity program is led by a team of diverse, highly skilled professionals, and we invest in modern technologies, including artificial intelligence and machine learning, to fortify our defenses. We actively collaborate with local, state and federal agencies, as well as peers in the chemical manufacturing industry to identify the latest threats and implement effective defenses that safeguard our employees and customers. Key Components of Our Cybersecurity Program: Leadership and Governance. We have a team of skilled internal and external cybersecurity professionals, led by our Vice President of Information Technology, Chief Information Officer and Chief Information Security Officer (“CIO”) , who has over three decades of experience in information security and information technology infrastructure. Our team has experience in information security and information technology infrastructure and holds several advanced and expert licenses and certifications, including International Society of Automation 62443, Cybersecurity Expert and International Information System Security Certification Consortium (ISC2), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP). Beginning in 2025, the Sustainability & Safety Committee of our Board of Directors (“the Board”) has oversight of our cybersecurity and risk management programs. Prior to that, the full Board exercised oversight of cybersecurity risk management. The Board moved oversight of cybersecurity risk management into the Sustainability & Safety Committee to allow for more in-depth reviews. The Sustainability & Safety Committee receives at least quarterly updates from the CIO on cybersecurity matters and our related risk management program, and periodic updates from external cybersecurity experts on the overall risk landscape. Our full Board of Directors also receives an update at least once a year on these matters in addition to regular reporting from the Sustainability & Safety Committee on matters reviewed. We have implemented processes for continual monitoring of our information systems, including the deployment of advanced security measures and system audits to identify potential vulnerabilities. If a cybersecurity incident were to occur, we have developed and documented an incident response plan that includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Additionally, our CIO regularly meets with our executive management leadership team to provide updates on our cybersecurity risks and incidents ensuring management is keenly aware of any potential threat. Protection of Sensitive Information. We enforce collection, storage, and access controls of personal, proprietary, and confidential information, focusing on protecting trade secrets, intellectual property, clinical trial data, third-party information, and employee data. Industry-Standard Frameworks and Policies. We incorporate industry-standard frameworks, policies, and practices such as ISO 27001 which are designed to protect the confidentiality and privacy of information. Protection Mechanisms. We currently adhere to the ISO 27001 information security framework and are advancing our program having achieved ISO 27001 certification in 2024. We continuously monitor our enterprise network and have deployed detective and preventative controls. In-depth third-party security assessments are conducted annually. Incident Response and Testing. We maintain a robust cybersecurity incident response plan that incorporates regular simulations, drills, vulnerability scans, penetration testing and third-party assessments to evaluate and enhance our cybersecurity controls and resilience. Third-Party Monitoring . We partner with a managed security services provider for 24/7 monitoring of our enterprise network. We require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity measures aligned with applicable legal standards and industry best practices. Our proactive approach to cybersecurity involves the integration of leading technologies and collaboration with third-party experts to ensure alignment with industry standards. We believe these measures contribute to the protection of both our organization’s and our clients’ sensitive information. During the past three years, there have been no material impacts from cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, 23 or financial condition. Despite our security architecture and controls, and those of our third-party providers, we may be vulnerable to cyber-attacks, computer viruses, security breaches, ransomware attacks, inadvertent or intentional employee actions, system failures, and other risks that could materially impact our financial results and our results of operations.

Company Information