SHERWIN WILLIAMS CO - (SHW)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
We maintain a cybersecurity program that is aligned with our business and focused on managing risks to our Company. As described below, we have established policies, standards, processes and practices for assessing, identifying and managing material risks from cybersecurity threats, which are integrated into our overall risk management program and governance structure.
We use various controls, technologies, and other processes designed to identify, protect against, detect, respond to and mitigate cybersecurity risks, in alignment with frameworks established by the National Institute of Standards and Technology (NIST). These include, but are not limited to, internal reporting, monitoring and detection tools, threat intelligence, and general and role-based training. We also maintain third party management processes to identify and manage the cybersecurity risks associated with third party service providers. We periodically evaluate and improve the effectiveness of our cybersecurity program internally and by engaging with consultants and other third party advisors to conduct reviews and assessments of our program. These periodic assessments and reviews may include penetration and vulnerability testing, simulations, table-tops, and other exercises.
Overseeing the assessment and management of our exposure to various risks, including cybersecurity, is a key oversight responsibility for the Board of Directors. We have an enterprise risk management (ERM) program that includes the processes used to identify, assess, and manage our most significant enterprise risks and uncertainties that could materially impact the long-term health of the Company or prevent the achievement of strategic objectives. These risks are identified, measured, monitored and managed across key risk categories, which include the consideration of cybersecurity risks. Our chief financial officer (CFO) facilitates the Company’s ERM program, which includes a formal assessment of the Company’s risk environment at least once per year. The ERM program also facilitates the incorporation of risk assessment and evaluation into the strategic planning process and the provision of regular reports to senior management, including our CEO. The Audit Committee assists the Board with its oversight of both the ERM program and cybersecurity risk, providing regular reports to the Board. Our CFO reviews the ERM program with the Audit Committee at least once per year, including reviewing existing risks and significant emerging risks across the Company’s key risk categories. In reviewing specific threats and risks with the Board, senior management may incorporate reports from consultants and other third party advisors.
Our Chief Information Security Officer (CISO) leads our global cybersecurity program and is responsible for management of our cybersecurity risks. Our CISO reports to our CFO. Our CISO has served in that position since 2022 and has relevant experience in cybersecurity leadership positions, including prior experience as CISO of a public company. The Audit Committee regularly reviews our risk exposures relating to cybersecurity with our CISO and CFO, including the review of the state of the Company’s cybersecurity and emerging cybersecurity developments and threats, and the steps management has taken to monitor and mitigate such exposures. Our CISO manages a team of cybersecurity professionals with expertise and experience in information security.
Our CISO is informed of cybersecurity incidents by the cybersecurity team’s security operations center, which is generally responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. We have an established process governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident, including for our evaluation of materiality. Depending on the nature and severity of an incident, this process provides for escalating notification to our CEO and Board of Directors.
Despite our efforts to prevent cybersecurity threats and incidents, our systems may be affected by damage or interruption resulting from, among other causes, cyber attacks, security breaches, power outages, system failures or malware (including ransomware and other programs that operate with malicious intent). Disruptions to these systems may impair our ability to conduct business and have a material adverse effect on our business, results of operations and financial condition. Despite the security measures we have in place, our facilities and systems, and those of third parties we rely on or do business with, may be vulnerable to cyber attacks, security breaches, malware (including ransomware and other programs that operate with malicious intent), power outages, system failures, acts of vandalism, human or technical errors or other similar events or disruptions. Any such event involving the misappropriation, loss or other unauthorized disclosure of information, whether impacting us or third parties we rely on or do business with, could result in losses, damage our reputation or relationships with customers and suppliers, expose us to the risks of litigation, regulatory action and liability, disrupt our operations and have a material adverse effect on our business, results of operations and financial condition.
16
To date, we have not experienced a cybersecurity threat or incident that has had a material adverse affect on our business, results of operations and financial condition. We, and third parties we do business with, have experienced cybersecurity attacks and incidents in the past, some of which have resulted in unauthorized access to our information and systems and other disruptions to our business operations, and we could in the future experience similar incidents. See Risk Factors in Item 1A for additional information on cybersecurity risks.
17