3M CO - (MMM)

10-K Filing Date: February 07, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company’s overall risk management systems, as overseen by the Company’s board of directors, primarily through its audit committee. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company from time to time engages third-party consultants, legal advisors, and audit firms in evaluating and testing the Company’s risk management systems and assessing and remediating certain potential cybersecurity incidents as appropriate.
Governance
Board of Directors
The audit committee of the Company’s board of directors oversees, among other things, the adequacy and effectiveness of the Company’s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The audit committee is informed of material risks from cybersecurity threats pursuant to the escalation criteria as set forth in the Company’s disclosure controls and procedures. Further, at least once per quarter, the Company’s Chief Information and Digital Officer (“CIDO”), and/or the Company’s Chief Information Security Officer (“CISO”) reports on cybersecurity matters, including material risks and threats, to the Company’s audit committee, and the audit committee provides updates to the Company’s board of directors at regular board meetings. The CIDO also provides updates annually or more frequently as appropriate to the Company’s board of directors.
Management
Under the oversight of the audit committee of the Company’s board of directors, and as directed by the Company’s Chief Executive Officer, the CIDO and CISO are primarily responsible for the assessment and management of material cybersecurity risks. The CIDO has more than two decades of experience with global technology organizations across multiple industries. The CISO has over 25 years of experience in information security, risk management, and compliance, has served as the chief information security officer at other organizations and, among other things, is a certified information systems security professional. The CIDO and CISO are also supported by a Cybersecurity & Privacy Executive Oversight Committee, which is comprised of certain members of senior management and is intended to provide cross-functional support for cybersecurity risk management and facilitate the response to any cybersecurity incidents.
The Company’s CISO oversees the Company’s cybersecurity incident response plan and related processes that are designed to assess and manage material risks from cybersecurity threats. The Company’s CISO also coordinates with the Company’s legal counsel and third parties, such as consultants and legal advisors, to assess and manage material risks from cybersecurity threats. The Company’s CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in the Company’s incident response plan and related processes.
The Company’s Disclosure Committee, with the assistance of its Cybersecurity Subcommittee, is responsible for overseeing the establishment and effectiveness of controls and other procedures, including controls and procedures related to the public disclosure of material cybersecurity matters. The Company’s Disclosure Committee is comprised of, among others, the Company’s Corporate Controller and Chief Accounting Officer (“CAO”), Treasurer, Chief Legal Affairs Officer (“CLO”), Corporate Secretary, General Auditor, and the most senior members of the investor relations, external reporting, financial planning and analysis, and tax functions. The Cybersecurity Subcommittee of the Company’s Disclosure Committee is comprised of, among others, the Company’s CAO, Treasurer, CLO, Corporate Secretary, and General Auditor, as well as the CIDO and CISO and Chief Privacy Officer.
The Company’s CISO, or a delegate, informs the Disclosure Committee’s Cybersecurity Subcommittee of certain cybersecurity incidents that may potentially be determined to be material pursuant to escalation criteria set forth in the Company’s incident response plan and related processes. The Disclosure Committee’s Cybersecurity Subcommittee is also primarily responsible for advising the Disclosure Committee and the Company’s Chief Executive Officer and Chief Financial Officer regarding cybersecurity disclosures in public filings. The CISO, with the CLO in attendance, also notifies the audit committee chair of any material cybersecurity incident.
As of the date of this Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition and that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factor beginning on page 14 of the section entitled “Item 1A. Risk Factors” in this Form 10-K.
17

Table of Contents