GIBRALTAR INDUSTRIES, INC. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

GIBRALTAR INDUSTRIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 08:55:45 EST.

Filings

10-K filed on 2024-02-21

GIBRALTAR INDUSTRIES, INC. filed an 10-K at 2024-02-21 08:55:45 EST
Accession Number: 0000912562-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Securing the Company’s IT systems is integral and foundational to its everyday operations. The mission of the Company’s cybersecurity team is to focus on defining and deploying its information security strategy, sustaining a robust employee cyber awareness and training program, executing security engineering, providing continuous monitoring of its operations, responding and coordinating the response and investigation of cyber threats, building and testing its disaster recovery plans in support of its businesses continuity plan requirements, and developing its cyber and information security policies. The Company employs a dedicated cybersecurity team led by its head of information and cybersecurity who reports directly to the Company’s Chief Digital Information Officer. Combined, the Company’s cybersecurity team has nearly four decades of security and technology operations expertise along with numerous security certifications. The Company’s cybersecurity strategy is based on recognized best practices, standards, and frameworks for cybersecurity and information technology, including the Center for Information Security (“CIS”) Controls and National Institute of Standards and Technology (“NIST”). The strategy focuses on implementing technologies, controls, and processes to constantly monitor, identify, assess, and manage cybersecurity risks. The Company also has a cybersecurity incident response plan that is designed to provide a framework across all functions for a coordinated identification and response to security incidents. Beyond technologies, processes, and controls, the Company’s cybersecurity program also includes exercises designed to sustain a high level of awareness and readiness across its employee base of the risks that threat actors pose to the Company. Whether it is through the Company’s monthly company-wide cyber training; its frequent in-house phishing exercises, regular tabletop exercises with the Company’s Board of Directors, management, and employees; or its annual cyber business continuity planning sessions, the Company strives to provide education so its employees can be a positive force in the protection of the Company’s systems. The Company engages leading cybersecurity firms to assist with its security engineering and operations; provide independent evaluations of its security posture through regular assessment, penetration testing, or ethical hacking; and to audit and provide advice on how to make its security operations and controls more effective. Furthermore, the Company utilizes third-party service providers to perform a variety of functions to assist in operating the business. The cybersecurity risks associated with the use of certain providers are covered under a vendor management process. Depending on the nature of the services provided, the sensitivity and/or quantity of information processed, the vendor management process may include reviewing cybersecurity practices of these providers, contractually imposing obligations on the provider, inspecting independently audited reports, and/or conducting its own security assessments of their services. The Company s Board of Directors has ultimate oversight of the Company s cybersecurity risk. Senior leadership, including the Chief Digital Information Officer, updates the Board of Directors on the Company’s cybersecurity and information security posture at least quarterly at the Company s board meetings, or more frequently as determined to be necessary or advisable. These updates include a review of cybersecurity incidents determined to have a moderate to high business impact, even if immaterial to the Company as a whole. The Audit and Risk Committee has responsibility for assisting the Board in the review and oversight of risks affecting the Company, and oversees the enterprise risk management process, which includes, with the assistance of internal audit, assessing the Company s exposure to cybersecurity risk and the effectiveness of the Company s processes and controls to address and respond to those risks. Management is responsible for hiring appropriate personnel, integrating cybersecurity considerations into the company s overall risk management strategy, and for communicating key priorities to employees, as well as for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Notwithstanding the focus and emphasis on cybersecurity, the Company has experienced and will continue to experience cybersecurity incidents. While prior incidents have not had a material effect on the Company’s business, 20 Table of Contents there can be no guarantee that the Company will not experience a future incident that does have a material effect on its business. See “Risk Factors - Risks Related to Information Technology - The Company’s business and financial performance may be adversely affected by cybersecurity attacks, information systems interruptions, equipment failures, and technology integration” for more information on the Company’s cybersecurity risks.

Company Information