2021 Owens Corning Sustainability Report | Our Approach | Risk Management | 64 Cybersecurity Risk Owens Corning is subject to risks relating to our information technology systems, and any failure to adequately protect our critical information technology systems could materially affect our operations. We rely on information technology systems across our operations, including for management, supply chain and financial information, and various other processes and transactions. Our ability to effectively manage our business depends on the security, reliability, and capacity of these systems. Information technology system failures, network disruptions, or breaches of security could disrupt our operations, causing delays or cancellation of customer orders or impeding the manufacture or shipment of products, processing of transactions, or reporting of financial results. An attack or other problem with our systems could also result in the disclosure of proprietary information about our business or confidential information concerning our customers or employees, which could result in significant damage to our business and our reputation. We have put in place security measures designed to protect against the misappropriation or corruption of our systems, intentional or unintentional disclosure of confidential information, or disruption of our operations. However, advanced cybersecurity threats, such as malware, ransomware, phishing attacks, attempts to access information, and other security breaches are persistent and continue to evolve, making them increasingly difficult to identify and prevent. Protecting against these threats may require significant resources, and we may not be able to implement measures that will protect against all the significant risks to our information technology systems. In addition, we rely on a number of third-party service providers to execute certain business processes and maintain certain information technology systems and infrastructure, and any breach of security on their part could impair our ability to effectively operate. Moreover, our operations in certain geographic locations may be particularly vulnerable to security attacks or other problems. Any breach of our security measures could result in unauthorized access to and misappropriation of our information, corruption of data, or disruption of operations or transactions, any of which could have a material adverse effect on our business. We have established a range of security measures to protect against these concerns. We have implemented additional controls, security processes, and monitoring of our manufacturing systems. We have also implemented additional cloud security tools and governance processes. We rely on third-party service providers to execute certain business processes, maintain certain IT systems and infrastructure, evaluate defenses, and implement recommendations. Moreover, our operations in certain geographic locations may be particularly vulnerable to security attacks or other problems. To combat this, we have added global information security team members to address regional security issues. We also placed great emphasis on cyber risk associated with merger and acquisition activities. The board of directors’ audit committee is responsible for overseeing the cybersecurity strategy for the company. Maryann T. Mannen is the chair of the audit committee. Our chief information officer oversees cybersecurity for the company and provides updates on cybersecurity risks to the board of directors’ audit committee regularly. Audit committee member Paul Martin has more than 10 years’ experience as chief information officer at another company, and his expertise includes oversight of cybersecurity. The audit committee reviews how we are executing against its comprehensive cybersecurity framework. Regularly, the audit committee may receive updates on efforts regarding data loss prevention, regulatory compliance, data privacy, threat and vulnerability management, cyber-crisis management, or other topics as applicable. Risks Related to Child Labor and Forced Labor Owens Corning’s human rights policy states that we do not and will not employ child labor or forced, slave, convict, or bonded labor. In addition, Owens Corning will not knowingly engage a supplier or distributor, nor will we enter into a joint venture with an organization that directly or indirectly, through a third party, employs child labor, forced labor, or persons who were trafficked into employment. The Human Rights & Ethics chapter of this report offers further details. Owens Corning supports participation in legitimate workplace apprenticeship programs, provided they comply with all applicable laws and are consistent with Articles 6 and 7 of the International Labour Organization (ILO) Minimum Age Convention No. 138 on vocational or technical education and light work.