|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems.
Dow's comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework ("NIST CSF") for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy.
Dow has comprehensive processes to manage cybersecurity risks when engaging with third-party service providers, including reviewing questionnaires and independent quantitative scores of the vendor’s cyber hygiene, maintaining robust controls to address and mitigate significant risks that may arise, and performing ongoing assessments and reviews throughout the duration of the engagement.
Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to the Company’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques.
Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure.
Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. The Company also engages external firms to measure Dow’s NIST CSF maturity level.
As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Although the Company has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Company can be found in Item 1A. Risk Factors.
Governance
Role of Management
Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow's Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, with oversight by the Audit Committee of the Board.
The Company’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives
regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.
The Company’s management responsible for developing and executing Dow’s cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
The Company’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cybersecurity incidents. The CSOC evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support the Company through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to the Company’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness.
Role of the BoardDow's Board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk, at least annually. While the full Board is accountable for cybersecurity and AI risk management, the Board has delegated responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee of the Board. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders, including the Chief Information and Digital Officer and Chief Information Security Officer, with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee also reviews external firms’ assessments of the Company’s security posture and NIST CSF maturity level. Information made available to the Audit Committee is also made available to the full Board. The Audit Committee includes members with significant experience and/or expertise in technology or cybersecurity, including information systems.
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Risk Management and Strategy
The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems.
Dow's comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages International Organization for Standardizations 27001/27002 standards for general information technology controls, International Society of Automation/International Electrotechnical Commission standards for industrial automation, the National Institute of Standards and Technology Cyber Security Framework ("NIST CSF") for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy.
Dow has comprehensive processes to manage cybersecurity risks when engaging with third-party service providers, including reviewing questionnaires and independent quantitative scores of the vendor’s cyber hygiene, maintaining robust controls to address and mitigate significant risks that may arise, and performing ongoing assessments and reviews throughout the duration of the engagement.
Dow has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to the Company’s network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques.
Additionally, Dow engages in cyber crisis response simulations to assess Dow’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. Dow’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure.
Dow also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate Dow’s security posture. The Company also engages external firms to measure Dow’s NIST CSF maturity level.
As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Although the Company has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Company can be found in Item 1A. Risk Factors.
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
As of the date of this report, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Although the Company has mature processes in place to identify and mitigate potential risks from cybersecurity threats, such risks cannot be completely eliminated. More information on the risks of cybersecurity threats and potential impact to the Company can be found in Item 1A. Risk Factors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Role of the BoardDow's Board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk, at least annually. While the full Board is accountable for cybersecurity and AI risk management, the Board has delegated responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee of the Board. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders, including the Chief Information and Digital Officer and Chief Information Security Officer, with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee also reviews external firms’ assessments of the Company’s security posture and NIST CSF maturity level. Information made available to the Audit Committee is also made available to the full Board. The Audit Committee includes members with significant experience and/or expertise in technology or cybersecurity, including information systems.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Company’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cybersecurity incidents. The CSOC evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support the Company through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to the Company’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness.
|Cybersecurity Risk Role of Management [Text Block]
|
Role of Management
Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow's Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, with oversight by the Audit Committee of the Board.
The Company’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives
regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.
The Company’s management responsible for developing and executing Dow’s cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
The Company’s Cyber Security Operations Center (“CSOC”) serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target employees or Dow internal information systems and incidents originating from third parties. The CSOC provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cybersecurity incidents. The CSOC evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers and suppliers, brand reputation and health, safety or the environment, and the speed and degree to which the incident has been contained. The CSOC is also responsible for activating the containment and resolution efforts and third-party service providers are engaged where appropriate to support the Company through the resolution of the incident. The CSOC escalates incidents with significant impact and pervasiveness to the Company’s Corporate Crisis Management Team for further action. After initial identification, the CSOC monitors all cybersecurity incidents for changes in degree of impact or pervasiveness.
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Dow’s Information Systems organization is led by Dow’s Chief Information and Digital Officer, who reports to Dow's Chief Operating Officer, and is responsible for administration of the cybersecurity and information security framework and risk management, with oversight by the Audit Committee of the Board.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Company’s Chief Information and Digital Officer has formal education in information technology and more than 30 years of experience in information systems and technology, including as the vice president of Global Information Technology. Prior to joining Dow, the Chief Information and Digital Officer held a variety of leadership roles including vice president of Information Technology at Cargill, Incorporated. The Chief Information and Digital Officer receives
regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.
The Company’s management responsible for developing and executing Dow’s cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or with experience working in information technology and cybersecurity, including relevant experience in security related industries. Additionally, leaders in the Company’s information technology function receive periodic training and education on cybersecurity related topics. Certain leaders also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef