LOUISIANA-PACIFIC CORP 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

LOUISIANA-PACIFIC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 12:57:17 EST.

Filings

10-K filed on 2024-02-14

LOUISIANA-PACIFIC CORP filed an 10-K at 2024-02-14 12:57:17 EST
Accession Number: 0001628280-24-004714

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity CYBERSECURITY OVERSIGHT Risk Management and Strategy LP places utmost priority on ensuring consistent and uninterrupted operational capability, as well as securing confidential business assets. We have systems and processes in place to assess, identify and manage cybersecurity incidents, and those systems and processes are integrated into our overall enterprise risk management system. We invest heavily in technology and third-party support to identify, mitigate, and quickly respond to cybersecurity incidents, and we have maintained a strong focus in consistently reviewing fundamental cybersecurity practices and ensuring we are reviewing emerging threats. To respond to the threat of security breaches and cyberattacks, we maintain a cybersecurity program designed to protect and preserve the confidentiality, integrity and continued availability of all information owned by, or in the care of, LP. This program includes mechanisms to monitor and detect unusual network activity, cybersecurity incident response and containment tools, and a response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incident. We also have a cybersecurity training and compliance program in place for the Company whereby our connected employees receive training and are tested routinely through simulated phishing attempts. We rely heavily on third-party suppliers and vendors, and a cybersecurity incident at one of our suppliers or vendors could have a material adverse impact on our business operations. We evaluate third-party cybersecurity risk controls through various assessment activities carried out by LP employees and by third-party service providers acting on our behalf. We engage an independent third party to conduct a biennial Security Program Assessment under the National Institute of Standards and Technology Cybersecurity framework. For incident alerts and response, we outsource around-the-clock coverage to a third-party managed service provider who provides timely alerting and notification of potential cybersecurity issues. In 2023, we also engaged a specialized third-party assessor to perform an operational technology security assessment for a subset of our manufacturing facilities. We continually work with third-party experts to advise on new threats and cybersecurity strategy best practices for specific capabilities. No risks from cybersecurity threats have materially affected, nor has LP identified any specific risks from known cybersecurity threats that are reasonably likely to materially affect, LP, including our business strategy, results of operations or financial condition. Please see “Risk Factors Business and Operational Risk Factors Cybersecurity risks related to the technology used in our operations and other business processes, as well as security breaches of Company, customer, consumer, employee, or vendor information could adversely affect our business " in Item 1A of this annual report on Form 10-K for additional discussion of cybersecurity risks applicable to LP. Management Responsibilities Our cybersecurity program is managed by our Information Security Officer (ISO). Our ISO has over five years of cybersecurity experience working in publicly traded companies, with expertise leading risk remediation efforts in vulnerability management, network security, security awareness, threat monitoring, data security and cloud security. To more effectively share information and gain consensus regarding cybersecurity initiatives and prevention policies, the Company has in place a Cyber Council consisting of various members of LP senior leadership and the Chief Information Officer. The Cyber Council is chaired by our ISO. The ISO, along with her team, is responsible for leading an enterprise-wide information security strategy, including policy, standards, architecture, processes, and security technology. The Cyber Council (i) meets semi-annually to review and discuss the Company s cybersecurity risks and threats, incident responses, technology, the status of projects to strengthen the Company s information security systems, assessments of the Company s cybersecurity program and the emerging threat landscape and (ii) reports risks related to any material cybersecurity incidents, as needed, to the Board of Directors and the Finance and Audit Committee (FAC) of the Board of Directors. 27 Board Responsibilities Oversight of risks from cybersecurity threats is shared by the Board of Directors and the FAC. The FAC oversees our cybersecurity program. The ISO provides the FAC with an annual presentation on our cybersecurity program, emerging threats, and the state of LP s cybersecurity maturity. In addition, the ISO provides updates to the FAC no less often than quarterly with respect to materials regarding the cybersecurity program. 28

Company Information