Chemours Co - (CC)

10-K Filing Date: March 27, 2024
Item 1C. CYBERSECURITY

 

Chemours recognizes the critical importance of maintaining a cybersecurity program to provide a secure and reliable computing environment protecting the Company’s information, systems and assets and to enable our digital transformation goals. Our cyber and information security program (the “Program”) is based upon standards published by the National Institute of Standards and Technology (“NIST”) in their Cybersecurity Framework. The goals of our Program are:

identifying, preventing, and mitigating cybersecurity threats to the Company;
preserving the confidentiality, security, and availability of the information that we collect and store to use in our business;
protecting the Company’s intellectual property;
maintaining the confidence of our customers, business partners and other stakeholders; and
providing appropriate public disclosure of cybersecurity risks and incidents, when required.

The Chief Information Security Officer (“CISO”) is the Chemours executive principally responsible for managing and maintaining the Program, is accountable for managing risk, ensuring that the organization’s security posture is aligned with its business objectives, and providing timely updates to senior management on such efforts. The CISO reports to the Interim Enterprise Transformation Leader. The current CISO has more than six years with Chemours and over 25 years of total cyber and information security experience with multiple companies across both the private and public sector in CISO and other information security roles.

 

The CISO manages and is supported by a global team of risk managers, cyber defenders, architects, and engineers with the knowledge and experience to carry out day-to-day cybersecurity operations. They are also supported by third parties who provide threat intelligence, global infrastructure monitoring, and threat detection and response to cyber events. In addition, our Corporate Security team, a part of the Legal organization, has open lines of communication with various Federal, State and International law enforcement agencies to gain access to the latest cyber situational awareness.

 

We assess third-party cybersecurity controls through a cybersecurity questionnaire and include information security and privacy addendums to our contracts, where applicable. We also require that our vendors and other third parties report cybersecurity incidents to us so that we can assess the impact of the incident on us.

 

Chemours educates its employees and contractors annually on cyber risks and prevention, monthly using online situational awareness training, active employee engagement, and ongoing phishing simulations.

 

The CISO has an incident response plan designed to address potential cybersecurity incidents and notify appropriate leadership while determining the material impact through a cyber sub-committee of management’s Disclosure Committee. The plan also includes implementing long-term strategies for recovery and prevention of future incidents.

 

We manage the cybersecurity risk under our Enterprise Risk Management (“ERM”) program, where we assess key risks within the Company. The board of directors is responsible for oversight of the Company’s enterprise risk management and is informed of the risks associated with cybersecurity through periodic ERM updates. A key part of the Company’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company’s processes and practices through auditing, assessments, tabletop exercises, threat modeling, and other exercises focused on evaluating the effectiveness of the Program.

36


The Chemours Company

 

The Audit Committee is central to the board of directors' oversight of cybersecurity and regularly meets with the CISO to review and discuss cybersecurity risks, the status of ongoing cyber initiatives and strategies, incident reports and learnings, as well as key performance indicators. The results of any cyber risk assessments, audits, and reviews are reported to the Audit Committee and the board of directors, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.

 

Although our Risk Factors include further details about the cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.

 

 

© 2024 Material-Incidents. All rights reserved.