WESTLAKE CORP - (WLK)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
The Company maintains a comprehensive approach to cybersecurity and data protection, based on a risk-based, defense-in-depth strategy. We regularly assess industry best practices and standards and endeavor to implement them in our efforts to manage cybersecurity risk. We follow industry standard cybersecurity frameworks, including the National Institute of Standards and Technology's Cybersecurity Framework, to design, assess and update our cybersecurity strategy, controls and processes. Our focus is on protecting our highest-value information assets, which include manufacturing systems, financial systems, and confidential, personal, and private information.
29

Table of Contents
To safeguard our networks and systems, we have a dedicated cybersecurity organization overseen by our Chief Information Security Officer, which operates within our information technology department overseen by our Chief Information Officer. Our cybersecurity organization employs multiple security controls, such as firewalls, spam protection, web filtering, endpoint detection and response software, controlled access, vulnerability management, redundancies, patching, and regular onsite and offsite backups. Our cybersecurity organization also uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and risk-based performance monitoring.
Both our Chief Information Officer and our Chief Information Security Officer have extensive experience in assessing and managing cybersecurity risks, including decades of collective experience in information technology and cybersecurity roles of increasing responsibility both at the Company and in prior positions. We prioritize cybersecurity awareness among our employees and contractors through various training exercises, including formal programs and simulated phishing events. We maintain incident response plans, playbooks, and engage third-party cybersecurity firms for simulated cyberattacks and penetration testing to identify potential risks. We also have a third-party cybersecurity firm on retainer for incident assistance and response. Periodic internal self-assessments are conducted by our cybersecurity organization using the National Institute of Standards and Technology Cybersecurity Framework.
From time to time, we experience cybersecurity threats and attempted breaches and other incidents. We classify and track these events based on significance and implement remediation actions that we consider appropriate to address the risks relating to such incidents. Although we have not experienced material impacts to our business strategy, results of operations or financial condition from any such incidents in the past three years, we cannot guarantee that a material incident will not occur in the future. Refer to "Failure to adequately protect critical data and technology systems could materially affect our operations" under "Item 1A. Risk FactorsLegal, Government and Regulatory Risks" of this Form 10-K.
Our Board has charged the Corporate Risk and Sustainability Committee with assisting the Board with its oversight of cybersecurity risks, which is a component of our overall enterprise risk management program. The Corporate Risk and Sustainability Committee includes directors with cybersecurity experience and expertise, primarily through supervision of information technology departments as executive officers. The Corporate Risk and Sustainability Committee receives regular updates from senior management and our Chief Information Officer on cybersecurity risks, incidents and trends, and ongoing and planned projects. Regular status reports are also provided by the cybersecurity organization to our Chief Information Officer and other members of our senior management and incident updates are reported to senior management as the Chief Information Officer and cybersecurity organization considers appropriate depending on the severity of the incident.
As part of our incident response planning, we also maintain cross-functional response teams involving personnel outside of our cybersecurity organization, both globally and regionally, in order to be prepared to respond to an incident.