DuPont de Nemours, Inc. - (DD)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy
DuPont has implemented processes for assessing, identifying and managing material risks from cybersecurity threats, which are integrated into the Company’s overall risk management systems and processes. DuPont’s cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework. The Company regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and containment. The Company has other policies and procedures which directly or indirectly relate to cybersecurity, including those related to remote access monitoring, encryption standards, antivirus protection, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. The Company also engages third parties in connection with the assessment of its cybersecurity risk management processes against the NIST framework.
DuPont has dedicated Information Technology security professionals that form the DuPont Cyber Incident Response Team (“DCIRT”). The DCIRT is led by our Chief Information Security Officer (“CISO”) and is responsible for the detection and initial assessment of cybersecurity threats and incidents (collectively, “cyber incidents”), whether internal or experienced by significant third-party service providers, using, among other means, third-party software. The DCIRT classifies detected cyber incidents into one of four categories based on potential impact to the functionality of the affected systems, possible or known information involved and recoverability effort. The classification of a cyber incident is designed to allow rapid prioritization, response and escalation. The CISO and the Chief Information Officer (“CIO”) are alerted as to any detected cyber incident that is potentially significant. Incidents are documented for regular internal reporting processes including notations and considerations of related attacks.
The CIO and CISO are required to engage the Cybersecurity Incident Review Committee (“CIRC”), a subcommittee of the DuPont Disclosure Committee, if a cyber incident has materially affected, or is reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. The CIRC is engaged if, in the opinion of the DCIRT, based on information then-available, a cyber incident is, or it is reasonably possible it may be, classified in one of the highest two severity categories discussed above. The CIRC includes membership representation from information technology, legal, finance, investor relations and internal audit and, if appropriate, the impacted business. The CIRC is responsible for performing a materiality assessment, activating the Crisis Management Committee (“CMC”) when applicable, and overseeing the public disclosure of material cybersecurity matters, as appropriate. The CIRC coordinates with the Company’s legal counsel and third parties, such as consultants and legal advisors, as needed. The CMC is a standing committee comprised of senior management and reports to the CEO. In the event the CMC is activated in relation to a cyber incident, the CEO is required by Board adopted policy to notify the Lead Director and any member of the Board of Directors identified as having cybersecurity expertise.
As part of preparatory and post-closing integration activities in connection with merger and acquisition activity, the Company: (i) conducts a cybersecurity risk threat assessment and when evidence of a breach is uncovered, conducts additional due diligence; (ii) based on the assessment, the Company develops and implements risk mitigation plans if needed and brings the acquisition under the Company’s cyber-attack/breach detection and response programs; and (iii) conducts an internal controls risk and compliance assessment and creates, as needed, responsive action plans intended to mitigate and remediate identified weaknesses in the control environment.
DuPont deploys annual cybersecurity training for employees and considers this a critical step in safeguarding the Company’s data and assets. The training provides employees and contractors with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. The course includes enhancements to strengthen our defensive stance against the increasing number and sophistication of cyberattacks worldwide and includes interactive modules covering various areas, including insider attacks, phishing and email attacks, preventing malware attacks, data protection, data handling, passwords, cloud and internet security and cybersecurity fundamentals for mobile devices.
Like other major corporations, DuPont is the target of cyber-attacks from time to time. However, risks from previous cybersecurity incidents, have not materially affected, and are not reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. For additional information about risks related to cybersecurity, see "The Company’s business, results of operations, financial condition and cash flows could be adversely affected by interruption of the Company’s information technology or network systems and other business disruptions” in Item 1A. Risk Factors of this Annual Report.
25
Governance
Roles and Responsibilities
Cybersecurity is an important part of our risk management processes and an area of focus for DuPont’s Board of Directors and management. The CIO and the CISO are primarily responsible for assessing and managing material risks from cybersecurity threats. The CIO has fifteen years of cybersecurity experience, including six years with DuPont, and the CISO has twenty-six years of cybersecurity experience, including one year with DuPont. Each of the CIO and CISO maintain industry recognized credentials relevant to their roles.
The Board, acting through its committee structure, is responsible for overseeing management’s implementation and execution of the risk management process and for coordinating the outcome of reviews by Committees in their respective risk areas. Although each Committee is responsible for overseeing the management of certain risks, the full Board is regularly informed by the Committees about these risks. This helps enable the Board and the Committees to coordinate risk oversight and the relationships among the various risks faced by the Company, including cybersecurity risk.
The full Board is responsible for oversight of cybersecurity risk and receives regular reports from the CIO and the CISO. The CIO and the CISO also present their assessment of material risks from cybersecurity threats to the Board at least annually. The Audit Committee receives periodic reports regarding information technology general controls (“ITGC”) in connection with its oversight of internal control over financial reporting. The impact, if any, of cyber incidents on internal control over financial reporting is also discussed with the full Board. The Nomination and Governance Committee considers cyber expertise in vetting nominees for the Board and recommending Committee appointments, and DuPont’s Board of Directors has determined that one of its independent board members has cybersecurity expertise.