Cybersecurity and Data Privacy

Male employee working with data on computer screen

We apply best practice cybersecurity and data privacy protocols throughout PPG.

Our cybersecurity program is designed to protect and preserve the confidentiality, integrity and continuity of our networks, systems and information, as well as information that we own or is in our care, through a risk-based approach. We implement physical, organizational and technological safeguards to protect information about our customers, employees and suppliers. Our data privacy policies are designed to prevent unauthorized access and disclosure of personal information using a range of operational and technological safeguards. Our employees receive comprehensive training on data privacy concepts to prevent misuse of personal information.

For both cybersecurity and data privacy, we follow the U.S. National Institute for Standards and Technology (NIST) and other applicable industry frameworks.

Male and female working with data on computer screens

Reducing emissions from data centers

Data centers are important enablers of PPG's operations, as they allow for the electronic storage, processing and dissemination of data and applications. Physical data centers are energy intensive and rely on continuous and reliable electricity. As part of our continued efforts to reduce energy use across the company, we have been transitioning our data to cloud service providers, such as AWS and Azure. These cloud providers are more than three times as energy efficient when compared with our internally managed physical data centers.

As of the end of 2024, 95% of our IT operations are managed through the cloud. We were able to shut down four out of eight physical data centers, which reduced our annual energy consumption by an estimated 998mWh. This transition also reduced our greenhouse gas emissions by 578 metric tons of CO2 equivalent, comparable to 135 gasoline-powered passenger vehicles driven for one year.

Cybersecurity and data privacy program improvements

We have significantly increased cybersecurity investments over the last five years and have implemented cybersecurity safeguards designed to detect and prevent cybersecurity events. We regularly assess and measure our program against industry practices to identify opportunities to improve the people, processes and technology used to identify, prevent, detect, respond and recover from cybersecurity incidents.

A key focus area in 2024 was strengthening our training and incident preparedness across the business. PPG employees engage in ongoing cybersecurity awareness and training activities, including frequent phishing testing and training on detecting impersonations through social media and email channels. We have placed an increased emphasis on training and prevention of phishing scams as attackers have become more sophisticated, and perform control testing in nine different languages across the company. We recently created local incident response groups across PPG to continue to drive improvements. These groups are responsible for assessing risk specific to their area of the business, preparing response plans and responding to any incidents to minimize their impact.

In 2024, our automotive business achieved certification from the Trusted Information Security Assessment Exchange (TISAX). The TISAX certification, which is specific to the automotive industry, verifies that our information security management system meets certain security thresholds.

Our Global Data Privacy Council continues to oversee all data privacy compliance activities. Members of the council represent key stakeholders from departments handling personal information or supporting relevant systems and processes. The council has a core focus on monitoring ongoing data privacy legislation to ensure PPG is positioned to adapt to evolving requirements. In 2024, the Global Data Privacy Council expanded its focus to include AI and has begun to establish governance structures to monitor data privacy risks related to AI.

Progress in addressing cybersecurity and data privacy issues is crucial for maintaining trust with PPG’s stakeholders. We will continue to monitor digital threats and adapt our approach to safeguarding confidential information.

Learn more about our approach to cybersecurity and data privacy, including elements of our cybersecurity program and governance, at the bottom of this web page.

Learn more, access our Global Data Privacy Statement and contact us at our privacy website.

Our approach to cybersecurity and data privacy

Our security protocols and practices ensure the protection of sensitive information and systems. We apply best practice cybersecurity and data privacy protocols and practices throughout our systems. Our approach ensures the protection of our information, and that of our customers and others.

Cybersecurity

PPG's cybersecurity program is designed to protect and preserve the confidentiality, integrity and continued availability of all information that we own or is in our care. Our program is based on the U.S. National Institute for Standards and Technology (NIST) standards and other applicable industry standards. We regularly assess and measure ourselves against industry practices to identify opportunities to improve people, processes and technology used to identify, prevent, detect, respond and recover from cybersecurity incidents.

Our cybersecurity program includes:

ongoing employee cybersecurity awareness and training activities, which include frequent phishing testing;
access management and access controls intended to implement Principle of Least Privilege (PoLP) access;
protection of certain data through encryption at rest and in transit;
monitoring and protection software;
a vulnerability management program that includes managing the risk of third-party software;
a cyber incident response plan that provides controls and procedures to support appropriate containment, response, investigation, reporting and recovery of cybersecurity incidents;
periodic testing of our cybersecurity posture, including by independent third-party consultants; and
integrating cybersecurity requirements and other provisions into various contracts.

PPG's Board of Directors has oversight of risk management at PPG, which includes cybersecurity risks. The Audit Committee of the Board is responsible for oversight of the Company's enterprise risk management (ERM) program, which provides oversight and governance of cybersecurity threats. The Audit Committee receives bi-annual reports and periodic briefings on cybersecurity matters, including key risks to PPG, recent developments, and risk mitigation activities from our vice president and chief information officer (CIO) and our chief information security officer (CISO), who are both responsible for overseeing our cybersecurity program. In addition, the full Board receives bi-annual briefings from our CIO on our cybersecurity program. The Board and the Audit Committee periodically review the results of exercises performed by our advisors as part of an independent assessment of PPG's cybersecurity program and internal preparedness. The Enterprise Risk Committee, a committee of senior executives who identify and monitor the risks to PPG and are responsible for our ERM program, receives updated information on cybersecurity risks at each of its meetings.

We maintain insurance covering certain costs that we may incur in connection with cybersecurity incidents.

Data Privacy

Our internal data privacy policies are designed to prevent unauthorized access to, and disclosure of, personal information using a range of operational and technological safeguards. Our employees also receive training on data privacy concepts to prevent the misuse of personal or confidential information. When we share personal information with third parties, we take contractual measures to ensure such information is protected and processed in accordance with applicable laws. We closely monitor evolving data privacy and data protection legislation around the world and update our policies and procedures to comply with current regulations.

We have a global data privacy manager responsible for ensuring the ongoing compliance of PPG’s data privacy and data protection policies and procedures. The manager chairs the Global Data Privacy Council, comprised of key internal stakeholders in the data privacy area and whose role is to supervise and lead compliance initiatives. The global data privacy manager reports to our chief compliance officer (CCO). The CCO oversees our data privacy program and provides regular reports to the PPG Board of Directors' Audit Committee.

Our privacy notices and statements outline how we collect, use and protect personal information provided to PPG. When personal information is no longer required, we destroy, anonymize or dispose of it using secure methods in accordance with applicable requirements.

Learn more by accessing our Global Data Privacy Statement or contact us via PPG Data Privacy Portal.

We apply best practice cybersecurity and data privacy protocols throughout PPG.

Reducing emissions from data centers

Cybersecurity and data privacy program improvements

Cybersecurity

Data Privacy

Download the Sustainability Report

Contact Us