DOW INC. - (DOW)
10-K Filing Date: January 31, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems.
Dow's comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security
25
Framework ("NIST CSF") for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls.
Dow contracts with external firms to assess Dow’s cybersecurity controls relative to its peers using the NIST CSF. Dow also has a third-party risk management program that assesses risks from vendors and suppliers. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy.
Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to the Company’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques.
Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure.
Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. The Company also engages external firms to measure Dow’s NIST CSF maturity level.
No risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition.
Governance
Role of Management
Dow’s Information Systems organization led by Dow’s Chief Information and Digital Officer, is responsible for administration of the cybersecurity and information security framework and risk management, with oversight by the Audit Committee.
The Company’s Chief Information and Digital Officer has formal education in information technology and extensive experience working in and leading Dow’s information systems and technology function. The Chief Information and Digital Officer receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.
The Company’s management responsible for developing and executing Dow’s cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant industry experience in security related industries. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
The Company’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cybersecurity incidents. The CSOC evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support the Company through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to the Company’s Corporate Crisis Management Team for
26
further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness.
Role of the Board
Dow's Board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk, at least annually. The Board has delegated responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee of the Board. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders, including the Chief Information and Digital Officer and Chief Information Security Officer, with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee includes members with significant experience and/or expertise in technology or cybersecurity, including information systems.