KRONOS WORLDWIDE INC - (KRO)
10-K Filing Date: March 06, 2024
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Our cybersecurity programs are built on operations and compliance foundations. Operations focus on continuous detection, prevention, measurement, analysis, and response to cybersecurity alerts and incidents and on emerging threats. Compliance establishes oversight of our cybersecurity programs by creating risk-based controls to protect the integrity, confidentiality, accessibility, and availability of company data stored, processed, or transferred. Our cybersecurity program is integrated within our overall risk management processes.
Our corporate cybersecurity program is led by our chief information officer (CIO), who is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our CIO has extensive information technology and program management experience and leads a team that has many years of experience with our organization. Our cybersecurity risks are also reviewed and tested annually through third party assessments and internal and external information technology audits. Our information technology team reviews enterprise risk management level cybersecurity risks annually. Our CIO reports to our chief executive officer.
We continually enhance our security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Third parties also play a role in our cybersecurity. We engage third-party services to conduct evaluations of our security controls through penetration testing, red team testing, consulting on best practices, and to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. All employees are required to complete cybersecurity training at least twice a year and have access to more frequent cybersecurity training through online training. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings.
We have a Cybersecurity Incident Disclosure and Controls Committee (CIDAC) which is central to our response and evaluation of cybersecurity incidents. Our CIDAC is comprised of our CIO and other senior executives including our chief financial officer, chief operating officer and general counsel. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Our IT team is responsible for categorizing cybersecurity incidents, with incidents evaluated to be high or critical security risks brought to the CIDAC for review and evaluation. Incidents are evaluated to determine materiality as well as operational and business impact. Our CIDAC committee performs simulations and tabletop exercises at a management level to evaluate our readiness and response to cybersecurity incidents. External resources and advisors are incorporated as needed.
Our board of directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our CIO and chief financial officer, regularly briefs the board of directors on our cybersecurity and information security posture, and the board of
19
directors is apprised of cybersecurity incidents deemed to have a high or critical business impact, even if immaterial to us. The board has delegated some of its primary risk oversight to board committees, including that our audit committee facilitates the board’s process of oversight of our overall risk management approach. The full board retains oversight of cybersecurity because of its importance to us and visibility with our customers.
In the event of an incident, we intend to follow our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery, and notification. This includes notifying functional areas (such as legal and human resources), senior leadership, and the board as appropriate.
We face a number of cybersecurity risks in connection with our business. To date, such risks have not materially affected us, including our business strategy, results of operations or financial condition. While we have not experienced any breaches, we have encountered occasional attempts, albeit of minor significance, targeting our data and systems, including instances of malware and computer virus infiltration. Thus far all such incidents have been minor. For more information about the cybersecurity risks we face, see the risk factor entitled “Technology failures or cybersecurity breaches could have a material adverse effect on our operations.” in Item 1A- Risk Factors.