Cornerstone Building Brands, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Cornerstone Building Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:01:43 EST.

Filings

10-K filed on 2024-02-23

Cornerstone Building Brands, Inc. filed an 10-K at 2024-02-23 16:01:43 EST
Accession Number: 0000883902-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Risk Assessments The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. The Company has integrated cybersecurity risk management into our broader enterprise risk management framework to promote a company-wide culture of cybersecurity risk awareness and management. This integration aims to ensure that cybersecurity considerations are an integral part of our decision-making processes at every level. We maintain an enterprise risk management program ( ERM ) designed to assess, identify, manage and mitigate material risks, including cybersecurity risk. ERM is a Company-wide initiative that involves both the Board of Directors and the Company s management. The program is designed to (i) identify and assess risks most critical to the Company s success including through detailed analysis of the likelihood of occurrence and potential impact of each risk, (ii) assign individual executives the responsibility of managing those risks, and (iii) align those management assignments with appropriate board-level oversight. Our General Counsel and Assistant General Counsel Compliance drive the program. The executive leadership team, including our Chief Executive Officer, and the Company s management team, comprised of department leaders and subject matter experts, are responsible for identifying, assessing managing and mitigating risks. With respect to cybersecurity risk, our legal and compliance team works closely with our IT leaders to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. External experts supplement our internal expertise as necessary. Risks identified as significant risks are communicated to the Board of Directors, who ultimately oversees the program both directly and indirectly through Board Committees, such as the Audit Committee. 22 TABLE OF CONTENTS Risk management, including risks related to cybersecurity is also incorporated into the review and approval process for our project management organization ( PMO ). Our cybersecurity risk management program includes enterprise-wise monitoring of cyber activity to identify and analyze potential events that may have an adverse effect or impact on the Company s assets, systems, resources or reputation. This monitoring is designed to identify both external activity and routine internal activity for behavior that may be unusual or potentially malicious. Depending upon the nature and severity of the risk, cybersecurity monitoring and identification can result in automated processes to immediately block and remove undesired risks, cybersecurity team review and action, or both. The Cybersecurity Incident Response Plan provides a framework for addressing a cyber-crisis, cyber-incident and/or data breach, which could include activating crisis, or business continuity recovery plans, as appropriate. These plans are regularly reviewed and updated by our Chief Information Officer and communicated to appropriate stakeholders. Third-Party Engagement Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, with the aim of modeling our cybersecurity strategies and processes after industry best practices. Our collaboration with these third parties includes managed services, team augmentation, independent audits, vulnerability management, threat and attack and consultation on security risks enhancements. Some engagements involve point in time activities with end products or reporting while others involve ongoing monitoring and management of risk across the Company. Third-Party Risk Management Because we are aware of the risks associated with third-party service providers, such as suppliers, software and cloud-based service providers, and cybersecurity partners, the Company implements processes to oversee and manage these risks. We assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. We require third parties to maintain security controls to protect our confidential information and data and notify us of breaches that may impact our data. Third parties that interact with our information or have access to our systems may have additional security requirements depending on the levels of risk. When new third-party risks are identified, we require those impacted to implement appropriate remediations or controls. Identified risks are documented and tracked along with general ongoing monitoring of third parties external risk posture. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third party service providers. Learning from Threats/Incidents During the last year we have not identified cybersecurity threats or challenges that have materially impaired our operations or financial condition. Our monthly baselines for cybersecurity are closely tracked and show a continual improvement and reduction of risk over the last three years. Similarly, incident investigations over the same period have reduced in severity and frequency. These internal metrics are consistent with our third-party risk scorecard subscriptions which similarly show a year-over-year improvement in our risk posture over the last three years. See Risk Factor, Damage to our computer infrastructure and software systems and issues relating to the incorporation of artificial intelligence ( AI ) solutions into our systems, could harm our business. Board Oversight The Board of Directors has established robust oversight mechanisms designed to ensure effective governance in managing risks associated with cybersecurity threats due to the significance of these threats to our operational integrity. The Board of Directors have delegated to the Audit Committee oversight over cybersecurity risk. Governance Conveying Risks to the Board of Directors The Chief Information Officer ( CIO ) and Chief Financial Officer ( CFO ) play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a quarterly basis at the Audit Committee meetings. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies 23 TABLE OF CONTENTS Incident reports and learnings from cybersecurity events; and Compliance with regulatory requirements and industry standards. In addition to our scheduled meetings, the Audit Committee, CIO and CFO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks to ensure that the Board Director s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance for major initiatives. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Audit Committee or Board of Directors through the Board-approved escalation protocol. Governance and Management Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Director Cyber Security under the oversight of the Chief Information Officer. With over 20 years in the field of IT and cybersecurity, the Director, Cybersecurity has significant professional experience including senior technical leadership roles along with consulting and management roles at public and private companies in the manufacturing , chemical and oil and gas sectors. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. He holds a masters in science degree from the University of Texas at Austin and professional certifications that include a CISSP and an active U.S. Government security clearance. Our Director Cyber Security oversees our cybersecurity governance programs and leads a team responsible for cybersecurity risk assessment, continuous monitoring for internal and external threats and vulnerabilities, remediation of known risks, and employee cybersecurity training. Management Oversight The Director Cyber Security and Chief Information Officer are regularly informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. Keeping senior management abreast of the cybersecurity posture and potential risks facing the Company is viewed as crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Director Cyber Security leads a team of Cybersecurity Engineers and manages vendor relationships and is responsible for implementation and oversight of processes for monitoring enterprise information systems. These processes include the deployment of advanced cybersecurity platforms which continually assess, remediate and provide regular measures and regular system audits so that identified threats and potential vulnerabilities can be addressed. In the event of a cybersecurity incident, the Director Cyber Security is equipped with our Cybersecurity Incident Response Plan. This plan includes an escalation protocol to ensure Company leaders and the Board of Directors are aware of and can oversee response plans, immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Processes also include escalating potentially material incidents directly to the General Counsel to ensure incidents are reported as required by applicable law and regulation. Both the Board of Directors and the Company s IT Steering committee, which is comprised of senior executives are kept updated on any material incidents, Cybersecurity initiatives and strategic roadmap.

Company Information