XML 69 R33.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
PPG’s cybersecurity program is designed to protect and preserve the confidentiality, integrity and availability of our networks and systems as well as information that we own or is in our care through a risk-based approach. The Company’s program is based on the U.S. National Institute for Standards and Technology (NIST) cybersecurity framework and other applicable industry frameworks.
Our cybersecurity program includes:
ongoing employee cybersecurity awareness and training activities, which include frequent phishing testing;
access management and access controls intended to implement Principle of Least Privilege (PoLP) access;
protection of certain data through encryption at rest and in transit;
monitoring and protection software;
a vulnerability management program that includes managing the risk of third-party software;
a cyber incident response plan that provides controls and procedures to support appropriate containment, response, investigation, reporting and recovery of cybersecurity incidents;
periodic testing of our cybersecurity posture, including by independent third-party consultants; and
integrating cybersecurity requirements and other provisions into various contracts.
PPG has continued to invest in cybersecurity to evolve and improve its program. PPG regularly assesses and measures itself against industry practices to identify opportunities to improve its people, processes and technology used to identify, prevent, detect, respond and recover from cybersecurity incidents. When such improvements are identified and validated as appropriate in PPG’s business context, they are incorporated in the roadmap for implementation.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Our cybersecurity program includes:
ongoing employee cybersecurity awareness and training activities, which include frequent phishing testing;
access management and access controls intended to implement Principle of Least Privilege (PoLP) access;
protection of certain data through encryption at rest and in transit;
monitoring and protection software;
a vulnerability management program that includes managing the risk of third-party software;
a cyber incident response plan that provides controls and procedures to support appropriate containment, response, investigation, reporting and recovery of cybersecurity incidents;
periodic testing of our cybersecurity posture, including by independent third-party consultants; and
integrating cybersecurity requirements and other provisions into various contracts.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The PPG Board of Directors (the “Board”) has overall responsibility for the oversight of risk management at PPG, which includes cybersecurity risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee of the Board (the “Audit Committee”), is responsible for oversight of the Company’s enterprise risk management (“ERM”) program which provides oversight and governance of all of the Company’s operational and financial risks including risks from cybersecurity threats to the Company.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee receives bi-annual reports and periodic briefings on cybersecurity matters, including key risks to the Company, recent developments, and risk mitigation activities from our Vice President and Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO"), who are both responsible for overseeing our cybersecurity program. In addition, the full Board receives bi-annual briefings from our CIO on our cybersecurity program. The Board and the Audit Committee also periodically review the results of exercises performed by our advisors as part of an independent assessment of PPG’s cybersecurity program and internal preparedness.
Cybersecurity Risk Role of Management [Text Block] The Audit Committee receives bi-annual reports and periodic briefings on cybersecurity matters, including key risks to the Company, recent developments, and risk mitigation activities from our Vice President and Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO"), who are both responsible for overseeing our cybersecurity program. In addition, the full Board receives bi-annual briefings from our CIO on our cybersecurity program. The Board and the Audit Committee also periodically review the results of exercises performed by our advisors as part of an independent assessment of PPG’s cybersecurity program and internal preparedness.
In addition, the Enterprise Risk Committee, a committee of senior executives who identify and monitor the risks to PPG and are responsible for our ERM program, receives updated information on cybersecurity risks at each of its meetings.
As part of their oversight of our cybersecurity program, our CIO and our CISO oversee a team of cybersecurity professionals and are responsible for assessing and managing our material risks from cybersecurity threats. Our CIO and CISO are trained information technology professionals, each of whom has earned degrees in information systems and business administration and has many years of experience in or managing global enterprise information technology at various organizations.
PPG maintains an internal communication hierarchy that is designed to communicate the occurrence of certain cybersecurity events and/or incidents into our systems to our CISO, our CIO, our company crisis response team, and, as appropriate, to certain members of senior management. This communication hierarchy includes protocols for informing the Audit Committee and the full Board of certain cybersecurity events and/or incidents and for determining the materiality thereof.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Audit Committee receives bi-annual reports and periodic briefings on cybersecurity matters, including key risks to the Company, recent developments, and risk mitigation activities from our Vice President and Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO"), who are both responsible for overseeing our cybersecurity program.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CIO and CISO are trained information technology professionals, each of whom has earned degrees in information systems and business administration and has many years of experience in or managing global enterprise information technology at various organizations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] PPG maintains an internal communication hierarchy that is designed to communicate the occurrence of certain cybersecurity events and/or incidents into our systems to our CISO, our CIO, our company crisis response team, and, as appropriate, to certain members of senior management. This communication hierarchy includes protocols for informing the Audit Committee and the full Board of certain cybersecurity events and/or incidents and for determining the materiality thereof.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true