Page last updated on April 11, 2024
POTLATCHDELTIC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 12:46:51 EST.
Filings
10-K filed on 2024-02-15
POTLATCHDELTIC CORP filed an 10-K at 2024-02-15 12:46:51 EST
Accession Number: 0000950170-24-015684
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity below for a description of the company s and management s processes used to assess, identify, and manage material risks from cybersecurity threats, and our board of directors’ role in overseeing risks from cybersecurity threats. We are implementing a new enterprise resource planning system (ERP). We are in the process of implementing a new ERP system that is intended to replace certain components of our existing operating and financial systems in 2024. We are designing the ERP system to accurately maintain our financial records, enhance operational functionality and provide timely operating information to our management team. We have invested significant resources in the planning and project management of the ERP implementation. Companies that implement new ERP systems may experience delays, increased costs and other difficulties. If we are not successful in designing and implementing our ERP system as planned or if it does not operate as intended, the effectiveness of our internal control over financial reporting could be adversely affected, or our ability to assess those controls adequately could be delayed. We may be unsuccessful in carrying out our acquisition strategy. Our real property holdings are primarily timberlands, and we may make additional timberlands and other forest products asset acquisitions in the future. We intend to strategically pursue acquisitions and strategic divestitures when market conditions warrant. The markets for timberland and forest products assets are highly competitive given how infrequently such assets become available for purchase. As a result, many real estate investors have built up their cash positions and face aggressive competition to purchase quality timberland assets. A significant number of entities and resources competing for high-quality timberland properties support relatively high acquisition prices for such properties, which may reduce the number of acquisition opportunities available to, or affordable for, us. As with any investment, our acquisitions may not perform in accordance with our expectations, including achieving cost savings, revenue growth, synergies, expected returns on the investment, business opportunities and growth prospects. In addition, we anticipate financing such acquisitions through cash from operations, borrowings under our unsecured credit facilities, proceeds from equity or debt offerings or proceeds from strategic asset dispositions, or any combination thereof. The failure to identify, complete and successfully integrate acquisitions into our operations could adversely affect our operating results, cash flows, financial condition and the market price of our common stock. Additionally, our inability to finance future acquisitions on favorable terms, or at all, could adversely affect our ability to successfully execute strategic acquisitions and thereby adversely affect our results of operations. 30 Table of Contents We may be unsuccessful in participating or competing in natural climate solution markets. Natural climate solutions (NCS) opportunities, such as carbon credits, solar, carbon capture and storage, bioenergy, and emerging technologies that allows wood fiber to be used in applications ranging from biofuels to bioplastics, are evolving and expanding. We have several NCS initiatives underway, including participation in carbon credit markets and the sale or lease of land for solar energy. We believe growth in NCS markets could provide opportunities to further maximize the use of our timberlands, increase our timberland values, generate increased revenues and profitability, and drive long-term stockholder value. However, there can be no assurance that we will be able to successfully execute on these natural climate solutions initiatives and/or compete in these markets in accordance with our expectations, which could result in an adverse effect on our business, financial results, and stockholder value. Our financial condition and results of operations may be materially adversely affected by a global health crisis such as coronavirus (COVID-19). We face risks related to public health epidemics and other outbreaks, including the global outbreak of a novel strain of COVID-19 and its variants. We, our suppliers, contractors and customers modified business practices for the continued health and safety of our employees during the COVID-19 pandemic. If a resurgence of COVID-19 or a potentially more severe global health crisis occurs, we or our suppliers, contractors, customers and others may be restricted or prevented from conducting business activities for indefinite or intermittent periods of time, including as a result of employee health and safety concerns, shutdowns, supply chain disruptions, shelter in place orders, travel restrictions and other actions and restrictions that may be prudent or required by governmental authorities. The full extent to which a global health crisis could impact our business and operating results depends on future developments that are highly uncertain and cannot be accurately predicted and may also trigger the occurrence, or exacerbate, other risks discussed herein, any of which could have a material adverse effect on our business, results of operation, cash flows and financial condition. Our defined benefit pension plans are currently underfunded. We have a qualified defined benefit pension plan covering certain of our current and former employees which, at December 31, 2023, was 88.4% funded. Future actions involving our qualified and unqualified defined benefit and other postretirement plans, such as annuity buyouts and lump-sum payouts could cause us to incur significant pension and postretirement settlement and curtailment charges and may require cash contributions to maintain a legally required funded status. The measurement of the pension benefit obligation, determination of pension plan net periodic costs and the requirements for funding our pension plans are based on a number of actuarial assumptions, including the expected rate of return on plan assets and the discount rate applied to the pension obligation. Changes in plan asset returns and long-term interest rates could increase our costs under our defined benefit pension plans and may significantly affect future contribution requirements. It is unknown what the actual investment return on our pension assets will be in future years and what interest rates may be at any given point in time. We cannot therefore provide any assurance of what our actual pension plan costs will be in the future, or if we will be required under applicable law to make future material plan contributions. For additional information regarding this matter, see Note 15: Savings Plans, Pension Plans and Other Postretirement Employee Benefits in the Notes to Consolidated Financial Statements . A strike or other work stoppage, or our inability to renew collective bargaining agreements timely and on favorable terms, could adversely affect our financial results. Certain employees at one of our sawmills, representing 14% of our total workforce, are covered under a collective bargaining agreement that expires in 2026. If our unionized workers were to engage in a strike or other work stoppage, or other non-unionized operations were to become unionized, we could experience a significant disruption of operations at our facilities or higher ongoing labor costs. A strike or other work stoppage in the facilities of any of our major customers or suppliers could also have similar effects on us. ITEM 1B. UNRE SOLVED STAFF COMMENTS None. 31 Table of Contents ITEM 1C. CYBERSECURITY We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws; other litigation and legal risk; and reputational risk. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We devote significant resources to protecting and improving the security of our systems and employ a range of tools and services, including network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to inform our professionals risk identification and assessment. We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards set by the National Institute of Standards and Technology (NIST), as well as by engaging with experts to attempt to infiltrate our information systems (as defined in Item 106(a) of Regulation S-K). To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents (as defined in Item 106(a) of Regulation S-K), we undertake the below listed activities: closely monitor emerging data protection laws and, if necessary, implement changes to our policies and employee training processes designed to comply; undertake regular reviews of our policies and statements related to cybersecurity; conduct annual cybersecurity awareness training for all relevant employees to increase their awareness and responsibilities when faced with cybersecurity threats; conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; conduct regular phishing email simulations for all employees to enhance awareness and responsiveness to such possible threats and provide supplemental training when appropriate; through policy, practice, and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and Additionally, we carry information security risk insurance coverage that we believe to be appropriate for the potential losses arising from a cybersecurity incident. However, this insurance may be subject to certain exceptions and may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems. Our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly having a third-party qualified security assessor review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity 32 Table of Contents specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform pre-engagement assessments for all third-party service providers based on the sensitivity of the data that will be handled and stored by that third-party service provider. Annually, we review Service Organization Control (SOC) 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing and recording company or employee data. Cybersecurity is an important part of our risk management processes and an area of continued focus for our board and management. The audit committee of the board of directors is responsible for the oversight of the company s enterprise risk management program, including reviewing and discussing with management at least annually (i) management s report on risk management, including management s assessment of risk exposure (for example, risks relating to operations, climate change, cybersecurity threats and regulatory compliance, among others), the processes in place to identify and manage significant risks, and steps taken by management to control or mitigate such exposures, and (ii) management s report on cybersecurity risk management, which may include a review of the company s cybersecurity framework, priorities, risk profile, and processes, controls and strategy to mitigate data protection and cybersecurity risks. Pursuant to the company’s incident response plan, management would discuss with the audit committee any significant cybersecurity incidents that may have a material effect on the company s business or its financial statements and management s mitigation and remediation plan for such incidents. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Information Technology Director (IT Director) and Director of Information Security (IS Director). Our IS Director has over ten years of experience managing information security, developing cybersecurity strategy and implementing relevant and effective cybersecurity programs. Together, our IT Director and IS Director hold numerous credentials, including a Bachelor of Science in Cybersecurity & Information Assurance, Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Global Information Assurance Certification (GIAC), Certified Forensics Analyst (GCFA), GIAC Certified Incident Handler (GCIH), and others. Our IT Director reports directly to the Chief Financial Officer, which enables quick notification to the entire management team of any significant cybersecurity incidents. The management team and the enterprise risk committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our IT Director also reports at least annually to the audit committee about cybersecurity threat risks, among other cybersecurity related matters, and our Chief Executive Officer reports regularly to the chair of our board of directors, and the full board of directors, as appropriate, about any emerging threats to our operations, at scheduled board meetings and through communications between board meetings. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. For more information about cybersecurity risks we face, see the risk factor titled Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information, and adversely impact our reputation and results of operations included as part of our risk factor disclosures within Part I Item 1. Business, Item 1A. Risk Factors contained in this report.
ITEM 1C. CYBERSECURITY We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws; other litigation and legal risk; and reputational risk. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We devote significant resources to protecting and improving the security of our systems and employ a range of tools and services, including network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to inform our professionals risk identification and assessment. We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards set by the National Institute of Standards and Technology (NIST), as well as by engaging with experts to attempt to infiltrate our information systems (as defined in Item 106(a) of Regulation S-K). To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents (as defined in Item 106(a) of Regulation S-K), we undertake the below listed activities: closely monitor emerging data protection laws and, if necessary, implement changes to our policies and employee training processes designed to comply; undertake regular reviews of our policies and statements related to cybersecurity; conduct annual cybersecurity awareness training for all relevant employees to increase their awareness and responsibilities when faced with cybersecurity threats; conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; conduct regular phishing email simulations for all employees to enhance awareness and responsiveness to such possible threats and provide supplemental training when appropriate; through policy, practice, and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and Additionally, we carry information security risk insurance coverage that we believe to be appropriate for the potential losses arising from a cybersecurity incident. However, this insurance may be subject to certain exceptions and may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems. Our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly having a third-party qualified security assessor review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity 32 Table of Contents specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform pre-engagement assessments for all third-party service providers based on the sensitivity of the data that will be handled and stored by that third-party service provider. Annually, we review Service Organization Control (SOC) 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing and recording company or employee data. Cybersecurity is an important part of our risk management processes and an area of continued focus for our board and management. The audit committee of the board of directors is responsible for the oversight of the company s enterprise risk management program, including reviewing and discussing with management at least annually (i) management s report on risk management, including management s assessment of risk exposure (for example, risks relating to operations, climate change, cybersecurity threats and regulatory compliance, among others), the processes in place to identify and manage significant risks, and steps taken by management to control or mitigate such exposures, and (ii) management s report on cybersecurity risk management, which may include a review of the company s cybersecurity framework, priorities, risk profile, and processes, controls and strategy to mitigate data protection and cybersecurity risks. Pursuant to the company’s incident response plan, management would discuss with the audit committee any significant cybersecurity incidents that may have a material effect on the company s business or its financial statements and management s mitigation and remediation plan for such incidents. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Information Technology Director (IT Director) and Director of Information Security (IS Director). Our IS Director has over ten years of experience managing information security, developing cybersecurity strategy and implementing relevant and effective cybersecurity programs. Together, our IT Director and IS Director hold numerous credentials, including a Bachelor of Science in Cybersecurity & Information Assurance, Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Global Information Assurance Certification (GIAC), Certified Forensics Analyst (GCFA), GIAC Certified Incident Handler (GCIH), and others. Our IT Director reports directly to the Chief Financial Officer, which enables quick notification to the entire management team of any significant cybersecurity incidents. The management team and the enterprise risk committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our IT Director also reports at least annually to the audit committee about cybersecurity threat risks, among other cybersecurity related matters, and our Chief Executive Officer reports regularly to the chair of our board of directors, and the full board of directors, as appropriate, about any emerging threats to our operations, at scheduled board meetings and through communications between board meetings. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. For more information about cybersecurity risks we face, see the risk factor titled Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information, and adversely impact our reputation and results of operations included as part of our risk factor disclosures within Part I Item 1. Business, Item 1A. Risk Factors contained in this report.
Company Information
| Name | POTLATCHDELTIC CORP |
| CIK | 0001338749 |
| SIC Description | Real Estate Investment Trusts |
| Ticker | PCH - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |