Ryerson Holding Corp 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Ryerson Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:44:03 EST.

Filings

10-K filed on 2024-02-21

Ryerson Holding Corp filed an 10-K at 2024-02-21 16:44:03 EST
Accession Number: 0000950170-24-018005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. We are committed to protecting Company information and the confidential information of our employees, customers, partners, and suppliers. To that end, we have in place various policies, procedures, and processes to identify, assess, manage, and prevent potential cybersecurity risk’s, and to timely detect the occurrence, and mitigate the effects of, cyberattacks and data breaches. Our Chief Information Officer (“CIO”), who has more than 25 years of information security and cybersecurity experience, manages cybersecurity, and oversees a team of dedicated cybersecurity personnel with various experience and certifications in information security and cybersecurity. Our personnel, along with external parties engaged to assess the sufficiency of our risk management processes (e.g., through penetration testing), continuously work to maintain and improve our cybersecurity program and the security and integrity of our information systems and infrastructure through our ongoing risk management program, including (i) by conducting cybersecurity assessments and audits to address threats and to stay in step with emerging malicious trends, and (ii) by performing due diligence on partners and suppliers to ensure similar values and appropriate security standards and safeguards are maintained by such partners and suppliers with respect to our information security assets and to third-party systems on which we rely. In addition, our Incident Response Team is trained to identify, quarantine, and remediate cybersecurity threats, and all of our employees are regularly trained to increase awareness of threats and to identify how to spot and avoid them. Cybersecurity is a formal component of our overall risk management program, and our management, including our Chief Information Officer, regularly update the Audit Committee of the Board of the status of our cybersecurity program. In the event that management identifies significant cybersecurity risk exposures, it will present such exposures to the Audit Committee, which oversees the actions, security, and risk mitigation efforts taken across our cybersecurity framework. With this input from management, the Audit Committee evaluates our cybersecurity risks and the responses implemented to prevent and/or mitigate any such risks. We have adopted an incident response plan that applies in the event of a cybersecurity incident involving a breach of our information technology systems and applications. Pursuant to this response plan, in the event of an incident, a multi-disciplinary team is assembled that is led by our CIO. The team in turn may leverage the expertise of third-party consultants, external legal counsel, and other resources. The plan includes procedures designed to facilitate containment of, and responses to, a cybersecurity incident, which are based on the type of incident, the location of the incident, and the breadth of the incident. The plan also establishes procedures for escalating incidents depending on severity and for notifying any impacted parties, including our customers, law enforcement and regulatory authorities, third-party vendors, and insurance providers. Our CIO will provide periodic updates to the Audit Committee and, when appropriate, the Board of Directors during this process. In addition to internal resources, we utilize third-party service providers to supplement and maintain our cybersecurity and our information technology systems. As of the date of this report, we are not aware of any material risks from cybersecurity threats, including as a result of any cybersecurity incident, which have materially affected, or are reasonably likely to materially affect, us, our business strategy, our results of operations, or our financial condition. 23

Company Information