MERCER INTERNATIONAL INC. 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

MERCER INTERNATIONAL INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 16:32:34 EST.

Filings

10-K filed on 2024-02-15

MERCER INTERNATIONAL INC. filed an 10-K at 2024-02-15 16:32:34 EST
Accession Number: 0000950170-24-015942

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain comprehensive programs and technologies to ensure that our information systems are effective and prepared for data privacy and cybersecurity risks, including regular oversight of our security programs for monitoring internal and external threats to ensure the confidentiality and privacy of our data. As the volume and complexity of cyber-attacks continue to evolve, we continue to enhance our security capabilities by continued investment in cyber technologies, further developing our internal cybersecurity personnel and educating our workforce regarding cybersecurity, and leveraging emerging technologies. Risk Management and Strategies We regularly perform evaluations of our security program and continue to implement controls aligned with industry guidelines to identify threats, detect attacks and protect data. Our risk management strategy is focused on three areas: (i) technology, being our hardware and software systems; (ii) processes, being our cybersecurity reporting, testing and other processes; and (iii) people, which refers to our internal cybersecurity personnel, external service providers and individual training and human interaction within our information technology and cybersecurity processes. We seek to align our cybersecurity program with practices recommended under ISO 27001 and by the National Institute of Standards and Technology and the Center for Internet Security Critical Security Controls. When reviewing third party information technology service providers, our engagement process customarily includes, among other things, a review of such providers’ cybersecurity measures. Additionally, we use third party data, such as Security Scorecard, to review and monitor such providers and as an indicator in respect of our cybersecurity environments. We periodically undertake cybersecurity audits, the results of which are reported to our Audit Committee. We have also implemented security monitoring programs designed to alert us of any suspicious activity, and have developed an incident response program in the event of a security breach. We implement various training programs periodically to ensure that our employees and other personnel comply with internal processes and to enhance their cybersecurity awareness. Additionally, we have engaged third party providers to supplement our response capabilities for both informational and operational technology incidents, as needed. See also Item 1A. “Risk Factors Risks Related to our Business - Failures or security breaches of our information technology systems could disrupt our operations and negatively impact our business”. Governance Our board of directors oversees our risk management processes and has tasked our Audit Committee with oversight of our cybersecurity and information governance, including periodically reviewing and discussing with management our risk exposures relating to data privacy and cybersecurity, and reviewing the steps we have taken to identify, assess, monitor, mitigate and manage such exposure and cybersecurity risks. At the management level, our Director of Cybersecurity is responsible for overseeing our cybersecurity processes and risk management, working together with our Chief Information Officer to implement our cybersecurity initiatives. Our Audit Committee and management meet with the Board on a quarterly basis to provide updates on cybersecurity risks, material cyber-attacks and security incidents as they occur, as well as to promote company-wide cyber risk and security awareness. Additionally, our Chief Information Officer and Director of Cybersecurity meet periodically with the Board or the Audit Committee to brief them on technology and information security matters. ( 48 ) Our Director of Cybersecurity is informed of any cybersecurity incidents by applicable personnel, and oversees remediation efforts in accordance with our processes. Our Chief Information Officer reports to our Audit Committee on significant incidents periodically. Our Director of Cybersecurity has over 20 years of experience as a cybersecurity and information technology professional and holds the Certified Information Systems Security Professional designation.

Company Information