Installed Building Products, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Installed Building Products, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:47:15 EST.

Filings

10-K filed on 2024-02-22

Installed Building Products, Inc. filed an 10-K at 2024-02-22 16:47:15 EST
Accession Number: 0001580905-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity OVERVIEW Like all modern businesses within the global economy, we are susceptible to cybersecurity threats. Our suppliers, vendors, and customers face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, financial position, business strategy, and results of operations. As discussed in more detail below, we have policies and procedures in place as part of our overall risk management strategy to, among other things, monitor our systems, train and raise awareness of cybersecurity threats amongst employees, and detect intrusions on our systems. 28 Notwithstanding our efforts at cybersecurity, no system of prevention is impenetrable, and we cannot guarantee that we will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. From time to time, we have experienced cybersecurity incidents in the normal course of our business. As of the date of this report, we are not aware of any cybersecurity incident or threat that has materially affected or is reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, future cybersecurity incidents could materially affect our strategy, results of operations or financial condition. See Item 1A. Risk Factors for additional information on how risks could materially affect the Company. CYBERSECURITY RISK MANAGEMENT AND STRATEGY As part of our Enterprise Risk Management ( ERM ) program, we maintain processes to assess, identify, manage, mitigate, and respond to material risks from cybersecurity threats. Central to these processes is a committee comprised of our head of Internal Audit, our Chief Information Officer ( CIO ), members of our executive team, and other senior members of management that evaluates cybersecurity risks and designs, and ensure implementation of, appropriate controls, protections and training. This committee periodically reviews overall risks to the Company as part of the ERM program and ensures the alignment of cybersecurity efforts with the overall risk management framework. The committee has identified cybersecurity threats as one of the primary categories of risk to the Company. Our information systems align with industry security standards. Our cybersecurity program, where appropriate, aligns with the Center of Internet Security ( CIS ) Control framework, which itself is modeled after the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework ( CSF ). Our policies and procedures concerning cybersecurity matters include processes to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, detect intrusions into our systems, and respond to cybersecurity incidents. We also regularly review our incident response and business continuity plans to ensure readiness if and when an incident does occur, and we test our incident response plan through tabletop exercises. Furthermore, we have established a cyber safety program which consists of a team of employees who concentrate on raising cybersecurity awareness in office and home-office environments to educate employees connected to the systems we use on how to identify and report security threats or breaches. We continually evaluate cybersecurity risks on an ongoing basis as part of our overall risk management strategy. We assess and identify cybersecurity risks through periodic risk assessments, penetration testing, and vulnerability scans, among other procedures and practices. We also receive cybersecurity alerts and threat intelligence from our peers, government agencies, information sharing and analysis centers and cybersecurity-related groups or associations. These and other measures are used to evaluate cybersecurity risks in a timely manner and to allocate resources in alignment with the overall risk management program. In the event of an incident, we intend to follow our detailed incident response policy, which outlines the steps to be followed from incident detection to eradication, recovery and notification. In addition, we regularly engage various third-parties to assess or test our systems and processes to enhance our detection and management of cybersecurity risks or assist with implementation of our risk management strategies, including consultants who assist with assessing risks, information security experts who conduct tabletop exercises with participation from company management, and our external auditor who performs cybersecurity reviews as part of our annual audit. Our operations rely on third-party suppliers, vendors, software programs, hardware products, and network systems, including cloud-based technologies, and we have processes to identify and evaluate cybersecurity risks and incidents associated with certain identified third-party providers. CYBERSECURITY GOVERNANCE The Board of Directors Oversight of Cybersecurity Risks Our Board of Directors (the Board ) maintains principal oversight responsibility for our ERM program. This oversight is facilitated primarily through the Audit Committee of the Board of Directors, which is responsible for oversight of our cybersecurity risk management processes. The chairman of our Audit Committee has earned a CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors, which aids the Audit Committee s understanding of cybersecurity risks and assists the Audit Committee in overseeing the risk management program. The Audit Committee and the Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. Senior leadership, including our CIO, briefs the Board of Directors and the Audit Committee on cybersecurity risks and the effectiveness of our cybersecurity program as part of updates on our overall ERM program. Our 29 head of Internal Audit also provides the Audit Committee with an assessment of any material changes to cybersecurity risks and controls as a result of cybersecurity threats on at least a semi-annual basis. Management s Role in Assessing and Managing Material Risks from Cybersecurity Threats Management is responsible for assessing and managing our cybersecurity risk management program. We have various teams and committees charged with monitoring risks, implementing controls, developing information security policies and procedures, and assessing cyber events. In addition to our Information Technology (IT) department, we have an Information Security (IS) department that provides oversight of our cybersecurity-related controls, including assistance in the development of related policies and procedures. The IT department is overseen by an Chief Technology Officer (CTO) who has an undergraduate degree in network and systems administration as well as significant experience in the development, operation, monitoring and management of information system operations, including but not to limited to cybersecurity oriented controls. The IS department is overseen by a Senior Cybersecurity Manager who holds a Master of Science degree and has varied experience in the field of information technology. Both the IT and IS departments report to the CIO, who holds various certifications in systems and cybersecurity methodologies and has over two decades of experience in the management of various aspects of information systems operations. The CIO approves the information security policies and procedures, implementation of controls, monitoring and detection programs, and employee training on cybersecurity risks. The CIO also is responsible for reporting on cybersecurity matters to the Board. IT and/or IS inform the CIO concerning cybersecurity risks and events, including any mitigation and remediation efforts. Cybersecurity incidents are escalated to an incident response team ( IRT ), which is headed by the CIO. The IRT is responsible for overseeing our incident response strategy, including remediation. For ongoing events, those responsible for investigating the incident are required to continuously update the IRT and the CIO until the event is considered to be resolved. Significant cybersecurity incidents are referred to a committee responsible for evaluating whether the incident is material using criteria based on our ERM program. This committee is comprised of a cross functional team of various senior members of management including the areas of Finance, Accounting, Legal, IT Security, and Risk. If a cybersecurity incident is deemed to have the potential for a material impact on the Company, our Incident Response, Reporting and Management Policy dictates procedures for promptly briefing the Audit Committee. In addition, our CIO reports all cybersecurity incidents, whether ongoing or first experienced during the quarter, to the Audit Committee at each quarterly meeting, and more frequently if necessary. 30

Company Information