UNION CARBIDE CORP /NEW/ - (UK1)

10-K Filing Date: January 31, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Dow has processes in place to identify, assess and monitor material risks from cybersecurity threats, including the material risks of the Corporation. These processes are part of Dow’s overall enterprise risk management process and have been embedded in Dow’s operating procedures, internal controls and information systems.

Dow's comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework ("NIST CSF") for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls.

Dow contracts with external firms to assess Dow’s cyber security controls relative to its peers using the NIST CSF. Dow also has a third-party risk management program that assesses risks from vendors and suppliers. In addition, Dow maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy.

Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to Dow’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to Dow’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Dow company-wide communications with frequent updates to educate on the latest adversary trends and social engineering techniques.

Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of Dow’s information system resources or violation of Dow’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure.

Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. Dow also engages external firms to measure Dow’s NIST CSF maturity level.
12

Table of Contents
No risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Corporation, including its business strategy, results of operations or financial condition.

Governance
Role of Management
Dow’s Information Systems organization led by Dow’s Chief Information and Digital Officer, is responsible for administration of the cybersecurity and information security framework and risk management, including that of the Corporation, with oversight by Dow's Audit Committee.

Dow’s Chief Information and Digital Officer has formal education in information technology and extensive experience working in and leading Dow’s information systems and technology function. The Chief Information and Digital Officer receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.

Dow management responsible for developing and executing its cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant industry experience in security related industries. Additionally, leaders in Dow’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.

Dow’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cyber incidents. The CSOC evaluates each incident in terms of its impact on Dow’s and the Corporation's operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support Dow through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to Dow’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness.

Role of the Corporation's Board
The Corporation's Board of Directors ("Board") recognizes the importance of cybersecurity in safeguarding the Corporation’s sensitive data. The Board is responsible for overseeing overall risk management for the Corporation, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk.

The Corporation’s Board receives information and updates periodically with respect to the effectiveness of Dow’s cybersecurity and information security framework, data privacy and risk management, which includes that of the Corporation. The Board also receives updates on material incidents relating to information systems security, including cybersecurity incidents.


© 2024 Material-Incidents. All rights reserved.