STEPAN CO - (SCL)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management

We assess, identify and manage material risks from cybersecurity threats through various policies, procedures and processes, including through our Enterprise Risk Management program (ERM), our information security policies and standards, workforce cybersecurity trainings and third-party assessments and programs.

The Company uses ERM principles to help identify, prevent, and mitigate potential risks, including cybersecurity and related risks. We base our ERM program on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. Individuals representing Stepan’s global locations and functions contribute to our risk assessments at least annually through surveys and in-person interviews. Members are polled quarterly to spot emerging risks and trends. The Company’s Vice President, Chief Compliance and Risk Officer leads the ERM program and reports regularly to the Audit Committee of the Board of Directors on ERM matters.

The Company maintains cybersecurity programs according to the set of guidelines developed by the National Institute of Standards and Technology through the Cybersecurity Framework. The Company maintains a set of IT Security Standards that provides a framework of layered security protection. In addition, the Company maintains and communicates to its workforce a Use of Information Technology Policy to support the understanding of and commitment to safely using IT assets. This knowledge can help prevent accidental or intentional misuse of Company IT resources, which can compromise the confidentiality, integrity, and availability of

16


 

sensitive data and systems. The Company requires cybersecurity training to raise awareness and educate employees about cybersecurity risks. The Company updates its training program at least annually.

The Company engages a variety of IT assessors to evaluate and test the Company’s cybersecurity and cybersecurity controls. Additionally, the Company engages IT consultants to provide tabletop exercises, ransomware simulations, cyber policy and standards development, cybersecurity, data security, and IT training events, cybersecurity and data security testing and monitoring, and cybersecurity implementation projects.

Although the Company has put in place the cybersecurity policies, procedures and processes described above, the Company remains exposed to cybersecurity attacks and incidents and misuse or manipulation of any of its IT systems, which could have a material adverse effect on its business strategy, results of operations or financial condition. As of the filing of this Form 10-K, we are not aware of any attacks, incidents, misuse or manipulation that have occurred since the beginning of 2023 that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. For risks associated with cybersecurity threats, see the risk factor “The Company relies extensively on information technology (IT) systems to conduct its business. Interruption of, damage to or compromise of the Company’s IT systems and failure to maintain the integrity of customer, colleague or Company data could harm the Company’s reputation and have an adverse effect on the Company’s business, financial position, results of operations and cash flows.” included in “Part I—Item 1A. Risk Factors” of this Annual Report on Form 10-K.

Cybersecurity Governance

The Audit Committee of the Company’s Board of Directors (the Audit Committee) oversees the Company’s cybersecurity risk management. The Audit Committee receives quarterly reports on cybersecurity risks and risk management from the Company’s Vice President of Information Technology. The Company’s Vice President of Information Technology, who reports to the Vice President and Chief Financial Officer, is in charge of assessing and managing our risks related to cybersecurity and oversees a team of full-time cybersecurity specialist employees. Utilizing the processes noted above, this team remains informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. The Company’s Vice President of Information Technology has served in a variety of IT and cybersecurity roles for twenty-five years, including serving in IT infrastructure, cybersecurity, enterprise application, and project management office leadership roles for both public and privately held companies in the chemical, pharmaceutical, and manufacturing industries. He has earned the IT Infrastructure Library (ITIL) Service Master Certification. The Company’s Cybersecurity Manager, who reports to the Vice President of Information Technology, has earned multiple cybersecurity industry certifications and has over fifteen years of IT and cybersecurity experience. The Company’s cybersecurity program and cybersecurity practices are reviewed by internal and external auditors. The Company’s cybersecurity team provides periodic reports to such auditors.