JELD-WEN Holding, Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

JELD-WEN Holding, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 15:49:02 EST.

Filings

10-K filed on 2024-02-20

JELD-WEN Holding, Inc. filed an 10-K at 2024-02-20 15:49:02 EST
Accession Number: 0001674335-24-000059

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity. Risk Management and Strategy We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats as part of our overall risk management system and processes. Our cybersecurity risk management processes include the following: a. We leverage the National Institute of Standards and Technology ( NIST ) framework to help ensure the Company s risk posture remains in alignment with the Company s overall risk appetite. b. The Company utilizes policies, software, training programs, hardware solutions and managed services to protect and monitor our environment, including multifactor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, identity and access management systems and 24x7 security operations center. c. The Company s approach to managing cybersecurity and digital risk is led by our CIO and CISO. Our CIO is supported by the Company at the highest levels and regularly engages with cross-functional teams at the Company, including Legal, Audit, Finance, Human Resources and Enterprise Risk Management. d. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident. Such insurance may be insufficient to cover all losses or all types of claims that may arise. e. Our cybersecurity team conducts semi-annual cyber awareness training for professional associates using an independent third-party security training provider to educate best practices, policies and responsibilities pertaining to cybersecurity. We also conduct quarterly simulated phishing tests to generate awareness and run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our practices, procedures and technologies. f. Our cybersecurity incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, communicate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. g. Our cybersecurity team regularly conduct tests of our information security environment and controls through vulnerability scanning, penetration testing and attack simulation testing. Additionally, our cybersecurity risk management processes include review and assessment by external, independent third parties, who assess the maturity of our cybersecurity program and identify areas for continued focus and improvement. Furthermore, our Legal Department advises the Board about best practices for cybersecurity oversight by the Board, and the evolution of that oversight over time. Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. Our cybersecurity team conducts third-party software security reviews for new software products being implemented into our production environments. The Company also has a third-party risk management process that regularly assesses and monitors risks, including cybersecurity, from vendors and suppliers. See Risk Factors in Item 1A of this Annual Report on Form 10-K for information on cybersecurity risks that may materially affect our business strategy, results of operations and financial condition. Governance The cybersecurity risk management processes described above are led by our CIO and CISO, each having more than 25 years of information security experience. Our Board, Audit Committee, senior management and the Enterprise Risk Management Committee (a management committee of senior representatives from corporate functions and business lines) devote resources to cybersecurity and risk management processes. The Audit Committee is primarily responsible for the oversight of enterprise risk management and cybersecurity risks, including cybersecurity threats. To fulfill this responsibility, the Audit Committee receives periodic reports from the CIO. These reports include information regarding updates on cybersecurity initiatives, cybersecurity metrics, such as phishing 31 Back to top results and attack volume metrics, results of any assessments performed by internal stakeholders or external third-party advisors and updates on cybersecurity trends and insights. The CIO provides a cybersecurity update to the full Board at least annually. 32 Back to top

Company Information