BOISE CASCADE Co 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

BOISE CASCADE Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:24:09 EST.

Filings

10-K filed on 2024-02-20

BOISE CASCADE Co filed an 10-K at 2024-02-20 16:24:09 EST
Accession Number: 0001328581-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Oversight and Risk Assessment We recognize the importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. One of the key functions of our board of directors is to provide informed oversight of our risk management processes. While management is assigned responsibility for the day-to-day response to material risks we face, our board of directors maintains responsibility for risk oversight, including risks related to cybersecurity threats. The Audit Committee of our board of directors is responsible for discussing risk exposures relating to cybersecurity, including current and emerging developments and threats, and the steps management has taken to monitor and control such exposures. The Audit Committee is composed of board members with diverse expertise, including financial, governance, and information security and controls, which equips them to oversee cybersecurity risks effectively. Our cybersecurity risk identification and assessment process is integrated into our enterprise risk management process. Our board of directors and key members of management across the organization rank previously identified risks, identify new or emerging risks, and provide commentary on the financial or strategic impact these risks could have on the Company. The risk survey responses are analyzed in the context of our business, recommendations are made where appropriate, and ownership of risk response is assigned to specific individuals. The results of this process are presented to our board of directors at least annually. In addition, our Information Technology (IT) Director provides quarterly updates to our board of directors on cybersecurity incidents, cybersecurity awareness activities, including results of mock-phishing exercises, regulatory and compliance matters specific to cybersecurity, and activities related to business continuity, including data validation and restore testing and tabletop exercises. Risk assessment for cybersecurity threats is embedded into these quarterly updates, with each topic discussed being assigned a risk level. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, we can provide no assurance that there will not be cybersecurity threats or incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. For more information regarding the risks we face from cybersecurity threats, see Item 1A. “Risk Factors” included in this report. 29 Table of Contents Cybersecurity Risk Management Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our IT Director. Our current IT Director has been in his position since 2014 and has over 30 years of information technology, finance, and operational experience in our organization. Our IT Director is certified in governance of enterprise IT (CGEIT), is a Certified Data Privacy Solutions Engineer (CDPSE) and a Certified Information Systems Auditor (CISA). Our IT Director and other IT leaders systematically use the Control Objectives for Information and Related Technology (COBIT) framework as an IT governance framework and remain educated on other best practices in compliance, projects, and processes. In addition, our IT Director reviews our operational plan annually with our operating segments, which includes review and discussion of a cybersecurity risk management framework. Our information services department, led by our IT Director, manages and continually enhances our information systems with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. We work to install new and upgrade existing information technology systems. We recognize the importance of preventative controls in mitigating the risk from cybersecurity threats and have implemented measures such as anti-virus security, two-factor authentication, web filtering, browser isolation tools, and mobility safeguards to enable enhanced security on personal devices. In addition, we provide mandatory cybersecurity training to our employees around phishing, malware, and other cybersecurity risks to ensure that we are protected, to the greatest extent possible, against cybersecurity risks and security breaches. Recognizing the complexity and evolving nature of cybersecurity threats, we engage independent third parties to penetration test our systems, consult on security enhancements, and perform industrial control system audits. In addition, our IT-related internal controls over financial reporting are audited by our independent external auditors. These practices allow us to leverage specialized knowledge and insights, identify risks, and continuously improve our information technology internal controls and processes to respond to the evolving cybersecurity threats. We also acknowledge the risks associated with third-party service providers. We employ a risk-based due diligence process of engaging and managing third-party relationships. The third-party management program is integrated into our enterprise risk management process to measure risks and evaluate current and evolving resource needs. We perform risk assessments of new and existing service providers, develop and maintain a proactive approach to address non-compliance, and establish monitoring plans based on risk scores. This process continues throughout the lifecycle of the third-party relationship. Initially, new third parties are segmented into risk categories based on reputational/sanction screenings, geographical location, contractual obligations, financial arrangements, data transfer/sharing agreements, subcontractor/additional entity relationships of the third party, and business relationship oversight feedback. When the ongoing risk monitoring identifies a change in risk profiles, monitoring plans are adjusted as appropriate to ensure proper controls are in place and due diligence is applied to mitigate higher-risk relationships. These practices are designed to mitigate risks related to data breaches and other security incidents originating from third-party service providers. Monitoring and Responding to Cybersecurity Incidents and Data Breaches Management reduces the risk of cyber incidents by monitoring network traffic through security controls, including firewalls, intrusion detection/prevention systems, anti-virus/anti-malware systems, cyber threat intelligence, and vulnerability monitoring tools. We use extended detection and response ( XDR) technology to integrate network, endpoint, and cloud data to stop sophisticated attacks by detecting malware and exploit threats, including using artificial intelligence (AI) behavioral analytics. We also partner with a security operation center (SOC) to provide 24-7 outside monitoring services for additional support to the internal IT team. We have an established cross-functional IT incident response team, which includes our IT Director, to respond to cyber incidents effectively and to coordinate communications that may be necessary in the event of an incident. The incident response team has a prescriptive plan to track cyber incidents and responses and has established communication protocols when an event occurs, enabling better reporting of such events. Our incident response plan includes involving law enforcement, as needed, depending on the nature of the attack. Members of the IT incident response team and data breach team, discussed in more detail below, maintain relationships with key suppliers and other entities in order to collaborate and communicate about ongoing cyber threats that may impact the Company. We have also developed a data breach response plan that includes policies and procedures to assess the nature and scope of an incident that has been determined to be a breach, identify the information systems and types of information that may have been accessed or misused, contain and control the incident, maintain or restore business continuity, and communicate the incident to the necessary parties, dependent upon the nature and severity of the incident. In addition, we have formed a data 30 Table of Contents breach response team that is comprised of individuals across the organization, including our IT Director, executive management, information technology and security, risk management, audit, legal, privacy and compliance, finance, communications, and business and IT operations. The data breach response plan outlines the roles and responsibilities of the data breach response team members, including monitoring of new data breach reporting regulations and communication protocols for incident reporting. In the event of a verified data breach, the data breach response team communicates the data breach to internal and external stakeholders, including employees, vendors, customers, law enforcement, and other federal or state agencies. The data breach response team also works with the necessary individuals to determine whether a verified data breach has a material impact to the company. If determined to be material, the data breach response team provides our CEO with documentation to communicate the incident to our board of directors. In addition, we perform quarterly incident response and data breach tabletop exercises, which are simulations of cybersecurity incidents that are designed to test the effectiveness of our incident and data breach response plans. These exercises identify potential process improvements, opportunities to enhance the incident and data breach response plans and help prepare for actual cybersecurity incidents. We recognize that cyber threats are a permanent part of the risk landscape and that new threats are constantly evolving. For these and other reasons, we have made it a priority to ensure the risk of cybersecurity threats is integrated into our risk assessment and risk management processes.

Company Information