Tronox Holdings plc - (TROX)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
As part of our overall risk management system we maintain comprehensive policies and processes for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to production, safety, reputation, intellectual property, procurement and business continuity. Cybersecurity risk management is included as part of our overall annual Enterprise Risk Management program. As part of this program, our enterprise risk professionals consult with internal cybersecurity subject matter experts to identify cyber risks and evaluate their severity and the efficacy of our mitigation efforts, with the results being reported to the executive leadership team and the Board of Directors.
Our cybersecurity risk management processes and policies include the following:
•We seek to deploy best practice cybersecurity standards promulgated by the National Institute of Standards and Technology Cybersecurity (NIST), the International Organization for Standardization and the Center for Internet Security.
•We employ a dedicated cybersecurity team who routinely conduct specific risk assessments and endeavor to mitigate identified risks. This team is responsible for implementing measures to detect, prevent and respond to threats and malicious activity. We also maintain a Security Operations Center (SOC) that provides a mechanism for addressing cyberthreats before they comprise data security.
26
•The cybersecurity team operates, maintains and monitors an integrated eco-system of security tools designed to detect, prevent and respond to threats and malicious activity. These tools include, but are not limited to, next generation firewalls, anti-malware, IPS / IDS, end point protection, encryption, email and cloud app security, privileged access management, vulnerability scanning / patching. These are a blend of on-premise, cloud and network hosted tools. Monitoring activities include threat hunting and use of multiple intelligence sources to manage and respond to events.
•Access to information is subject to authorization, review, classification and substantially controlled through multi-factor authentication.
•All employees and contractors who are issued a Tronox user account for our IT system must complete and pass cybersecurity training before being provided full system access.
•All employees and contractors with access to our IT systems must complete and pass a mandatory annual cybersecurity awareness training and acknowledgement of Tronox’s Acceptable Use Policy. Failure to complete the training successfully may result in further system access restrictions and HR escalation.
•We periodically orchestrate simulated phishing attacks on all IT system users and those who fall victim to the simulated attacks are required to take additional mandatory cybersecurity training.
•To reduce the risk of phishing attacks, we have identified groups of Tronox employees and contractors who do not require access to external emails in order to perform their work responsibilities and begun a process of blocking their external emails.
•We have a written Incident Response Plan that encompasses a range of activities to detect, respond to and recover from cybersecurity incidents, including compliance with applicable legal obligations and mitigation damage.
•We work closely with a number of regional and international bodies from which we draw intelligence and contribute to cybersecurity initiatives such as incident simulation exercises and development working groups.
•We regularly evaluate the appropriateness of cyber insurance coverage in light of the cyber risks we face and we do not currently carry cyber insurance.
Additionally, in connection with our cybersecurity risk management processes, we engage third-party subject matter experts to supplement our dedicated internal resources and to provide independent review of the Tronox-specific threat landscape as well as our mitigation efforts to counter known threats. These activities include:
•External penetration testing by certified third parties.
•Independent review of the Tronox Information Security Management System (ISMS).
•Participating in industry and government cyber incident exercises run by the National Cyber Security Center (UK Security Services).
•Utilizing a third party (KnowBe4) for the cybersecurity training and phishing tests described above.
•Regularly engaging with statutory auditors in support of specific activities such as SOX 404 audits.
•Engaging outside counsel with expertise in the field to advise on critical IT contracts as well as reporting and disclosure requirements.
Our cybersecurity risk management policies and processes extend to cyber risks posed by our third-party service providers. To manage that risk we have implemented a process to identify critical vendors and perform a reasonable level of due diligence on the adequacy of their cybersecurity policies, processes and capabilities.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. Like most major corporations we have been the target of cyberattacks from time to time and we expect to be the target of such attacks in the future. In the past three years, however, we have not experienced a material information security breach. As such, we have not incurred any material expenses from cybersecurity breaches or any expenses from fines, penalties or settlements related to a cybersecurity breach. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition.
Governance
Our entire Board of Directors provides oversight of the Company’s cybersecurity policies, processes and capabilities as part of their overall oversight of risk management. Once a year, our Vice President, Cyber Security reports to the Audit Committee providing a detailed update on the threat landscape, emerging trends and the Company’s mitigation efforts. This report also includes Tronox’s performance as measured by the NIST Cybersecurity Framework Scorecard. As needed on a periodic basis, our Vice President, Cyber Security updates the Audit Committee on specific cybersecurity events and newly emerging risks and the actions taken by the Company in response to those events and risks. The Audit Committee updates the full board on these matters as necessary. The full Board reviews and assesses cybersecurity risks in connection with its annual Enterprise Risk Management review.
27
In 2020, Tronox established an IT Security Council to help set corporate risk tolerance and related policy. The council meets quarterly, is chaired by the General Counsel and managed by our Vice President, Cyber Security with senior level representation from key functions and business units. On an annual basis, the Tronox Cybersecurity team reviews and updates the core governance documents, including the Acceptable Use Policy, the Information Security Policy, and the Incident Response Plan. These are then subject to review and approval by the Tronox Security Council with a summary provided to the Audit Committee as a component of the annual cybersecurity Enterprise Risk Management.
Day to day cybersecurity risk oversight governance is the responsibility of our Vice President, Cyber Security who has been with Tronox since 2017 and reports to our Senior Vice President, Integrated Supply Chain and Digital Transformation. Tronox’s Vice President, Cyber Security has over 30 years of IT experience, 20 years of security experience and was awarded a Member of the British Empire honor with respect to his work in the field. Previous roles include Interim Chief Information Security Office for Pacnet (Hong Kong) and Director of Security for Level 3 Communications along with multiple engagements for the UK government. He oversees a dedicated security team distributed globally with more than 15 members and over 100 years of aggregate cyber security experience.