FMC CORPORATION CYBERSECURITY POLICY
Policy Statement
FMC Corporation (“FMC,” “we,” the “Company”, or correlative terms) recognizes that the threat of cybersecurity breaches may create significant risks for the Company. Accordingly, we are committed to an ongoing and comprehensive program to protect all Company data, as well as data in our supply chain, from cybersecurity threats. The risk mitigation program, which is overseen by our Board of Directors and senior management, includes regular assessment of evolving risks, auditing, robust IT security systems, regular employee training, and a comprehensive cyber incident response plan.
Each year in our Form 10-K, we describe our approach to identifying cybersecurity risks. We have an active program to monitor cybersecurity threats, including but not limited to hacking attempts as well as email phishing attempts. FMC’s periodic tests include “attack-simulations” in the form of penetration tests and anti-phishing tests. We also have a policy which includes progressive disciplinary actions for employees who fail such phishing tests. Board and Senior Management Oversight
FMC’s Board of Directors oversees the Company’s cybersecurity program primarily through its Audit Committee (100% of the Audit Committee directors are classified as independent), which meets at least 4 times per year. The Audit Committee includes directors whose prior work experience provide them with insights as to potential cybersecurity risks and mitigation strategies. As of February 2021, one director on the Audit Committee has completed additional director training on cybersecurity issues; we are committed to providing ongoing director training to all Audit Committee members on this evolving risk area.
Company executives update the Audit Committee regarding the cybersecurity program and related issues at least twice per year. In addition, Company executives discuss cybersecurity with the entire Board of Directors at least once per year.
The Audit Committee Charter (as of February 2021) states as follows:
The Audit Committee shall, among other responsibilities, discuss with management the Company’s policies with respect to risk assessment and risk management, including the Company’s major financial risk exposures and risks related to cyber security; steps management has taken to monitor and control such exposures; and significant estimates affecting the Company’s financial statements, such as litigation, tax and environmental matters. (emphasis added)
In addition, the Company maintains a Cyber Security Council comprised of Senior Management including the CEO, CFO, General Counsel, CIO, and CTO, who review and oversee the details of the current cybersecurity program and the strategic direction of the program to address evolving risks. The Council meets at least twice a year.
Page 1 of 4
Auditing of Cybersecurity Programs
Recognizing the value of auditing of risk management programs, FMC follows the National Institute of Technology (NIST) Cyber Security Framework (CSF), which provides organizations guidance on how to identify, prevent, detect, and respond to cybersecurity threats.
FMC has its cybersecurity programs audited periodically (on average, every two years) by independent third parties according to the highest cybersecurity standards. The most recent audit occurred in November 2020, performed by Ernst & Young. The audit results provided insight for areas of future improvement in risk mitigation, which the Company is addressing through the upcoming year. These audit results are reviewed by the Company’s Cyber Security Council and the Audit Committee.
Disclosure of Cybersecurity Risks; Insurance
FMC regularly assesses all potentially significant risks and discloses such risks to investors and other third parties in its Form 10-K. The most recent disclosure can be found in the 2020 Form 10-K, filed February 25, 2021, in the General Risks Factors section:
Information technology security and data privacy risks - As with all enterprise information systems, our information technology systems could be penetrated by outside parties’ intent on extracting information, corrupting information, deploying ransomware, or disrupting business processes. Remote and other work arrangements may leave the Company more vulnerable to a cyberattack. Our systems have in the past been, and likely will in the future be, subject to unauthorized access attempts. Unauthorized access could disrupt our business operations and could result in failures or interruptions in our computer systems, lockout from systems due to ransomware, or in the loss of assets and could have a material adverse effect on our business, financial condition or results of operations. In addition, breaches of our security measures or the accidental loss, inadvertent disclosure, or unapproved dissemination of proprietary information or sensitive or confidential information about the Company, our employees, our vendors, or our customers, could result in litigation, violations of various data privacy regulations in some jurisdictions, and also potentially result in a liability. While we have taken measures to assess the requirements of, and to comply with the European Union's General Data Protection Regulation and data privacy regulations in other countries, these measures may be challenged by authorities that regulate data- related compliance. We could incur significant expense in facilitating and responding to investigations and if the measures we have taken prove to be inadequate, we could face fines or penalties. This could damage our reputation, or otherwise harm our business, financial condition, or results of operations.
The Company regularly considers whether investing in insurance is an appropriate additional risk mitigation measure; as of February 2021, the Company does not carry any insurance specifically related to cybersecurity risks.
Key Cybersecurity Program Elements
FMC’s Cybersecurity program includes governance defined by IT Policies and Standards a robust IT Risk Management program that identifies and manages IT risks including a software vulnerability management system. FMC uses access controls based on the principle of least privilege and special tools for the
Page 2 of 4
management of privileged access. FMC employs anti-malware tools and other email security tools, intrusion detection and other tools for monitoring and alerting.
Employee Training on Cybersecurity and Acceptable Use of IT Resources
FMC’s employees around the globe are required to go through a training module on cybersecurity at least once per year; on average, over 90% of employees do not fail any aspect of the training tests. The typical focus of these efforts is on email phishing attacks, but there are multiple types of required training exercises each year. When employees fail these trainings, we utilize a progressive disciplinary approach to help them better identify phishing attacks, starting with additional training, but after multiple subsequent failures, termination of employment may be considered.
The Company also has an Acceptable Use of IT Resources Policy to educate employees and mitigate risk. All users of FMC’s Information Technology (IT) resources must do so responsibly, lawfully, and otherwise in compliance with all FMC policies. The policy defines and clarifies expected behavior with respect to FMC IT resources in a number of areas of concern, including User’s responsibilities for authorized and appropriate use of FMC IT Resources, including electronic communications, business vs. personal use of resources, portable computing devices, encryption of sensitive information, malware protection, software procurement and use, and FMC’s rights to monitor use. The policy is not intended to restrict communications or actions protected or required by applicable law.
Cyber Incident Response Plan
FMC has a Cyber Incident Response Plan (CIRP) which establishes procedures to prepare for, and respond to, a variety of cyber incidents that could impact FMC’s employees, businesses, operations, communities, or reputation. The CIRP is reviewed at least once annually to assure that it meets current reasonably anticipated potential scenarios. The CIRP does not attempt to give prescriptive step-by-step actions on how to respond to a cyber incident. Instead, it establishes the framework and tools to use company resources efficiently to manage the cyber incident and minimize its impact. The CIRP is also used for training, tabletop exercises, and staff orientations.
Reporting on Cyber Breaches
During the period 2017-2020, we have had zero information leaks caused by a cybersecurity breach.
Likewise, during the period 2017-2020, FMC has incurred no expenses that were related to cybersecurity breaches, or that were related to penalties or settlements that resulted from a security breach.
FMC intends to report on any cybersecurity breaches at least once annually.
Public Posting of Policy
This Policy shall be publicly posted on FMC’s corporate internet site, and will be reviewed (and if needed, updated) at least once per year.
Page 3 of 4
Further Information
All inquiries regarding the provisions or procedures of this policy should be addressed to:
Michael F. Reilly Executive Vice President, General Counsel, Chief Compliance Officer and Secretary FMC Corporation 2929 Walnut Street Philadelphia, PA 19104
Page 4 of 4