LyondellBasell Industries N.V. - (LYB)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
We recognize sophisticated global cybersecurity threats and targeted computer crimes pose a continuously evolving risk to the confidentiality, availability, and integrity of our data, operations and infrastructure. We have implemented comprehensive practices to minimize these risks. Our cybersecurity program is certified to the International Organization for Standardization ISO 27001, a standard for information security management, which covers key areas of management, technical and physical controls, legal, compliance and business continuity management.
Our management utilizes a systematic approach to evaluating and determining risk tolerance and prioritizes the safeguarding of our digital assets. The Vice President of Cybersecurity leads our cybersecurity program and reports to the Executive Vice President and Chief Innovation Officer, who serves on the Executive Committee and reports to the CEO. The Vice President of Cybersecurity has a Master of Science degree in Cybersecurity Operations, is certified as an information security professional with the International Information System Security Certification Consortium (ISC2) and International Association of Privacy Professionals, and has over thirty years of leadership experience in technology, systems architecture, and cybersecurity.
Cybersecurity events are continuously monitored by global security operations centers staffed in the United States, European Union, and Asia Pacific regions with events and incidents being managed based upon the MITRE ATT&CK framework, a system for classifying and describing cyber attacks and intrusions. Management provides guidance and is informed of cybersecurity events through a committee with cross-functional representation of executive leadership. The committee meets at least quarterly for activities such as determining policy, reviewing active risks, assessing impact of emerging threats or regulatory changes, and monitoring active incidents. This committee also receives escalated alerts within 24-hours of confirmed cybersecurity events, and will determine the severity of the incident, engage with crisis management as necessary, and disseminate that information internally as appropriate and warranted.
Third-party service providers must meet baseline security requirements before they connect to our systems or manage sensitive information. They are evaluated based on risk, which is based on financial, operational, legal/regulatory, capacity, cybersecurity posture, and reputational impact. Additionally, high risk third-party service providers are continuously monitored for security health and active threats.
We recognize the risk posed by global cybersecurity threats, and our Board is regularly updated on emerging risks and maintains oversight of our cybersecurity program implemented to address them. In 2023, the Board conducted its annual comprehensive review of specific cybersecurity and process control topics at its September meeting. Cybersecurity risk evaluation is integrated into our enterprise risk management processes and is presented to management and the board as a part of that process.
While management is responsible for assessing and managing our day-to-day risks and control systems, the Audit Committee of the Board oversees our information technology and cybersecurity risks. The Committee conducts a comprehensive review of cybersecurity topics and reviews our programs and practices with management at least annually, and receives management’s report on our cybersecurity dashboard, which summarizes key security metrics and activities, at each quarterly Committee meeting.
To further advance cybersecurity awareness, we are developing solutions to mitigate the impact of third-party fraudulent cyber activity, including public facing portals for potential and current partners with capability to report suspected phishing.
Our cybersecurity program includes, but is not limited to:
•annual cybersecurity education for all company computer users on relevant policies and standards, best practices at work and at home;
•communication processes including how to identify, respond, and report threats or potential vulnerabilities;
34
•protective software installed and configured on Company systems and mobile devices, updated and patched on a regular basis, to provide the highest level of protection against malicious threats;
•an established program based on the MITRE ATT&CK framework for dealing with ransomware and other cybersecurity incidents;
•regular technical risk assessments of our network, applications and manufacturing facilities, using a combination of trusted suppliers and a dedicated, objective team;
•penetration, discovery and vulnerability assessments conducted daily;
•mobile threat protection mechanisms and policies;
•business continuity plans that are well documented and tested regularly; disaster recovery plans that are also well documented and tested at least annually; and
•coverage for non-damage business interruption or liability for data breaches as a part of the Company’s combined insurance programs.
In addition, in 2023, management conducted ransomware simulation exercises and engaged outside consultants to perform external perimeter penetration testing.
While we attempt to mitigate cybersecurity risks by employing a number of measures, as described above, our employees, systems, networks, products, facilities and services remain potentially vulnerable to ransomware or sophisticated espionage. Depending on their nature and scope, such threats could potentially lead to the compromise of confidential information, improper use of our systems and networks, manipulation and destruction of data, defective products, production downtimes and operational disruptions, which in turn could adversely affect our reputation, competitiveness and results of operations or financial condition. No risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition.