Celanese Corp - (CE)

10-K Filing Date: February 23, 2024
Item 1C.  Cybersecurity
Cybersecurity Risk Management and Oversight
Strategy for Management of Cybersecurity Risk
Cybersecurity protection and data privacy are important to maintaining our proprietary information and the trust of our customers, suppliers and employees, and we recognize the importance of working to secure our data and information systems from potential cybersecurity and data privacy incidents. We are a large global manufacturer with sites around the world, and we identify and assess our cybersecurity risk through that lens. Securing the execution and control of our manufacturing operations, to the extent implemented through digital technology, is a primary area of focus. We also face risks encountered by substantially all large global companies such as the risks of intellectual property and information being compromised, fraud and violation of privacy or security laws.
We identify, assess, manage and mitigate cybersecurity risk through a risk management program based on the NIST Cybersecurity Framework that is regularly assessed by a third party cybersecurity consultant. As part of our processes, we perform routine scanning and have an established vulnerability management program and patching policy. We have in our learning management system a comprehensive cybersecurity awareness course that is mandatory for all employees with computers and covers key topics such as identifying workplace cybersecurity hazards and attacks, and our separate CyberSAFE and Data Privacy intranets provide content to help employees identify and avoid cybersecurity and data privacy risks. We also have data privacy educational tools, policies and procedures to help employees prevent, recognize and report data privacy
29

incidents. We perform penetration tests and vulnerability and breach assessments with third-party advisors to support our compliance with laws and regulations including those applicable to chemical manufacturing sites. We also have a third-party risk management program with a formal approach to evaluating and managing risks associated with third-party information technology solutions and software. We maintain cyber/information security insurance to protect against certain expenses and liabilities that may be incurred in the event of an incident.
Cybersecurity risk is managed as part of our broader enterprise risk management program. Specifically, a risk management workstream focused on our information technology function (including cybersecurity) is designed to assess, identify and manage cybersecurity-related risks and mitigation measures.
Our cybersecurity risk program also includes a documented incident response plan to be used in the event of a cybersecurity incident. The incident response plan provides for certain responses based on various factors of a cybersecurity incident.
Governance and Oversight
Primary responsibility for assessing and managing risks from cybersecurity threats resides with our management team, including a Chief Information Officer who has nearly 30 years of information technology experience including leadership roles at multiple large, global and/or publicly-traded companies, and a Chief Information Security Officer who has over 30 years of experience in cybersecurity with large international publicly-traded companies and who holds a Certified Information Systems Security Professional (CISSP) certification. These individuals, together with others on their teams, are informed about the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management policies, processes and operations discussed above. They regularly report to and consult with the executive leadership team on such matters.
At the Board level, the full Board and its Environment, Health, Safety, Quality and Public Policy ("EHSQPP") Committee (which oversees many of our operational risks related to manufacturing) are both involved in oversight of the Company's management of cybersecurity risk. Management, including the Chief Information Officer and Chief Information Security Officer, updates our EHSQPP Committee and full Board on cybersecurity matters quarterly. We also have processes by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the Board.
Additional Information
For additional information on the risks we face related to cyber and information security threats, please see the risk factors in Item 1A. Risk Factors titled "Production at our manufacturing facilities, or at our suppliers', could be disrupted for a variety of reasons, which could prevent us from producing enough of our products to maintain our sales and satisfy our customers' demands" on page 19 and "We are subject to information or operational technology cybersecurity threats that could materially affect our business" on page 22.