|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Chemours recognizes the critical importance of maintaining a cybersecurity program to provide a secure and reliable computing environment protecting our information, systems and assets and to enable our digital transformation goals. Our cyber and information security program (the “Program”) is based upon standards published by the National Institute of Standards and Technology (“NIST”) in their Cybersecurity Framework. The goals of our Program are:
•
identifying, preventing, and mitigating cybersecurity threats to the Company;
•
preserving the confidentiality, security, and availability of the information that we collect and store to use in our business;
•
protecting our intellectual property;
•
maintaining the confidence of our customers, business partners and other stakeholders; and
•
providing appropriate public disclosure of cybersecurity risks and incidents, when required.
The Chief Information Security Officer (“CISO”) is the Chemours executive principally responsible for managing and maintaining the Program, is accountable for managing risk, ensuring that the organization’s security posture is aligned with its business objectives, and providing timely updates to senior management on such efforts. The CISO reports to the Chief Information Officer. The current CISO has more than seven years with Chemours and over 25 years of total cyber and information security experience with multiple companies across both the private and public sector in CISO and other information security roles.
The CISO manages and is supported by a global team of risk managers, cyber defenders, architects, and engineers with the knowledge and experience to carry out day-to-day cybersecurity operations. They are also supported by third parties who provide threat intelligence, global infrastructure monitoring, and threat detection and response to cyber events. In addition, our Corporate Security team, a part of the Legal organization, has open lines of communication with various Federal, State and International law enforcement agencies to gain access to the latest cyber situational awareness.
We assess third-party cybersecurity controls through a cybersecurity questionnaire and include information security and privacy addendums to our contracts, where applicable. We also require that our vendors and other third parties report cybersecurity incidents to us so that we can assess the impact of the incident on us.
We educate our employees and contractors annually on cyber risks and prevention, monthly using online situational awareness training, active employee engagement, and ongoing phishing simulations.
The CISO has an incident response plan designed to address potential cybersecurity incidents and notify appropriate leadership while determining the material impact through a cyber sub-committee of management’s Disclosure Committee. The plan also includes implementing long-term strategies for recovery and prevention of future incidents.
A key part of our strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, threat modeling, and other exercises focused on evaluating the effectiveness of the Program.
The board of directors is responsible for oversight of our Enterprise Risk Management process ("ERM") and is informed of the risks associated with cybersecurity through periodic ERM updates. The Board has also delegated oversight of the cybersecurity and information security programs and processes for assessing, identifying and managing material risks from cybersecurity threats to the Audit Committee. The Audit Committee regularly meets with the CISO to review and discuss cybersecurity risks, the status of ongoing cyber initiatives and strategies, incident reports and learnings, as well as key performance indicators. The results of any cyber risk assessments, audits, and reviews are reported to the Audit Committee and, ultimately, the board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.
Although our Risk Factors include further details about the cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
A key part of our strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, threat modeling, and other exercises focused on evaluating the effectiveness of the Program.
The board of directors is responsible for oversight of our Enterprise Risk Management process ("ERM") and is informed of the risks associated with cybersecurity through periodic ERM updates. The Board has also delegated oversight of the cybersecurity and information security programs and processes for assessing, identifying and managing material risks from cybersecurity threats to the Audit Committee. The Audit Committee regularly meets with the CISO to review and discuss cybersecurity risks, the status of ongoing cyber initiatives and strategies, incident reports and learnings, as well as key performance indicators. The results of any cyber risk assessments, audits, and reviews are reported to the Audit Committee and, ultimately, the board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The board of directors is responsible for oversight of our Enterprise Risk Management process ("ERM") and is informed of the risks associated with cybersecurity through periodic ERM updates. The Board has also delegated oversight of the cybersecurity and information security programs and processes for assessing, identifying and managing material risks from cybersecurity threats to the Audit Committee. The Audit Committee regularly meets with the CISO to review and discuss cybersecurity risks, the status of ongoing cyber initiatives and strategies, incident reports and learnings, as well as key performance indicators. The results of any cyber risk assessments, audits, and reviews are reported to the Audit Committee and, ultimately, the board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The results of any cyber risk assessments, audits, and reviews are reported to the Audit Committee and, ultimately, the board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.
|Cybersecurity Risk Role of Management [Text Block]
|
The Chief Information Security Officer (“CISO”) is the Chemours executive principally responsible for managing and maintaining the Program, is accountable for managing risk, ensuring that the organization’s security posture is aligned with its business objectives, and providing timely updates to senior management on such efforts. The CISO reports to the Chief Information Officer. The current CISO has more than seven years with Chemours and over 25 years of total cyber and information security experience with multiple companies across both the private and public sector in CISO and other information security roles.
The CISO manages and is supported by a global team of risk managers, cyber defenders, architects, and engineers with the knowledge and experience to carry out day-to-day cybersecurity operations. They are also supported by third parties who provide threat intelligence, global infrastructure monitoring, and threat detection and response to cyber events. In addition, our Corporate Security team, a part of the Legal organization, has open lines of communication with various Federal, State and International law enforcement agencies to gain access to the latest cyber situational awareness.
We assess third-party cybersecurity controls through a cybersecurity questionnaire and include information security and privacy addendums to our contracts, where applicable. We also require that our vendors and other third parties report cybersecurity incidents to us so that we can assess the impact of the incident on us.
We educate our employees and contractors annually on cyber risks and prevention, monthly using online situational awareness training, active employee engagement, and ongoing phishing simulations.
The CISO has an incident response plan designed to address potential cybersecurity incidents and notify appropriate leadership while determining the material impact through a cyber sub-committee of management’s Disclosure Committee. The plan also includes implementing long-term strategies for recovery and prevention of future incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Chief Information Security Officer (“CISO”) is the Chemours executive principally responsible for managing and maintaining the Program, is accountable for managing risk, ensuring that the organization’s security posture is aligned with its business objectives, and providing timely updates to senior management on such efforts.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The current CISO has more than seven years with Chemours and over 25 years of total cyber and information security experience with multiple companies across both the private and public sector in CISO and other information security roles.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The CISO manages and is supported by a global team of risk managers, cyber defenders, architects, and engineers with the knowledge and experience to carry out day-to-day cybersecurity operations. They are also supported by third parties who provide threat intelligence, global infrastructure monitoring, and threat detection and response to cyber events. In addition, our Corporate Security team, a part of the Legal organization, has open lines of communication with various Federal, State and International law enforcement agencies to gain access to the latest cyber situational awareness.
The CISO has an incident response plan designed to address potential cybersecurity incidents and notify appropriate leadership while determining the material impact through a cyber sub-committee of management’s Disclosure Committee. The plan also includes implementing long-term strategies for recovery and prevention of future incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef