Kraton conducts security vulnerability assessments in alignment with our global security management procedure at all sites. We work on addressing risks to ensure a secure work environment for employees. Our Information Technology (IT) department continues to develop processes and procedures to identify cybersecurity risks that could jeopardize our operations, data and other sensitive information. We regularly conduct drills and identify weak areas to assess security levels and improve protection.

These improvements align with our ACC Responsible Care Security Code. Kraton also participates in the US Customs-Trade Partnership Against Terrorism (C-TPAT) program and the global Authorized Economic Operator (AEO). Both C-TPAT and AEO are voluntary government programs designed to increase global supply chain security. Both programs require risk-based audits of Kraton and unannounced audits of our suppliers. We also participate in Chemical Facility Anti-Terrorism Standards (CFATS) programs, and we comply with US requirements on security assessment and action plans.

INFORMATION SECURITY

Kraton depends on an integrated information systems to conduct our business. Information systems security threats and more sophisticated, targeted computer crimes can pose a security risk to our systems, networks and the confidentiality, availability and integrity of our data, operations and communications.

Kraton’s Information Security Program deploys administrative, technical and physical safeguards designed to protect confidential information in compliance with applicable security, confidentiality and privacy laws and regulations. The program was developed following the National Institute of Standards and Technology (NIST) framework to provide structure. The Kraton Board of Directors provide risk oversight for the program. The Board’s Audit Committee receives reports on management’s information security activities on a regular basis. The program’s day-to-day governance and oversight rest with the Corporate Compliance Committee, which also approves the Information Security Charter and Policy.

Under the program, an annual risk assessment and planning process takes place to ensure potential risks are known, understood and accounted for. Controls are implemented for existing and emerging risks, and are monitored for compliance through system monitoring, security testing, self-assessments and audits. Kraton systems are continually tested and assessed by an external security services provider Security Scorecard. Employees are required to annually affirm the company’s Code of Conduct, which includes obligations and responsibilities to abide by the Information Security Program. A complementary training program emphasizes its importance to employees.