Rayonier, L.P. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Rayonier, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:47:46 EST.

Filings

10-K filed on 2024-02-23

Rayonier, L.P. filed an 10-K at 2024-02-23 16:47:46 EST
Accession Number: 0000052827-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY We are subject to various cybersecurity risks in connection with our business. For additional information, see Item 1A Risk Factors . As part of our overall enterprise risk management system and processes, we assess, identify and manage material risks from threats to our information systems. Once risks are identified, our Enterprise Risk Management Committee ( ERM Committee ), which consists of executives appointed by the Board, oversees and reviews these risks and provides an annual report regarding such risks to the Audit Committee for further review and evaluation. We also maintain processes to oversee and identify risks from cyber threats associated with our use of third-party service providers, including annual reviews of third-party SOC1 reports. Safeguarding our operations against cyber threats is a high priority. Recognizing the importance of a strong posture towards cyber threats, our strategy to combat the evolving threat landscape and support the protection of sensitive information includes engaging in: Incident Response Planning and Data Backups. We maintain and regularly review a detailed incident response plan to help minimize downtime and disruption in the event of a cybersecurity incident and to assess materiality and any related disclosure obligations. We also actively maintain data backup procedures for business continuity in the event of a cybersecurity incident. Examples of our backup procedures and systems include daily server snapshots, database log files, Salesforce backups, and Google Vault. Generally, these backups of critical systems would allow us to restore operation within hours. Third-Party Managed Monitoring, Detection, and Response Services. We partner with a reputable third-party firm for 24/7 threat monitoring, detection and response. External Cybersecurity Process Assessments. We also engage third-party experts to conduct periodic process assessments against the U.S. National Institute of Standards and Technology ( NIST ) framework to help us evaluate and enhance our cybersecurity practices. Penetration Testing and Phishing Simulations. We periodically engage experts for penetration testing to identify system vulnerabilities and to simulate real-world cyberattacks. We also conduct quarterly phishing simulations to test our staff’s response and to deliver targeted cyber awareness training. Continuous Improvement and Adaptation. We regularly review and update our strategies to keep pace with the dynamic cyber threat landscape, and to build a resilient and responsive cybersecurity system. Our employees receive monthly training on data protection, threat detection, and incident response. We also provide a forum for employees to report cyber near misses to elevate cyber threat awareness across our organization. In the past, we have experienced targeted and non-targeted cybersecurity attacks and incidents, and we could in the future experience similar attacks. To date, no cybersecurity attack or incident, or any risk from cybersecurity 25 Table of Contents threats, has materially affected or has been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. GOVERNANCE Our Director of Information Technology and our Manager of IT Security, having a combined 45 years of information technology experience 1 take the lead in protecting the organization s digital assets and sensitive information from cyber threats and manage our partnerships with the external firm that specializes in around-the-clock threat monitoring, detection, and response services and other third-party providers. In the event of a breach or incident, our Director of Information Technology leads our response to mitigate impact and initiate the recovery processes. Following the identification of a breach or incident, the Director of Information Technology reports incidents of a medium or high severity level 2 to our senior leadership team. Incidents of a high severity level are also reviewed by our Disclosure Committee to assess materiality and any disclosure obligations. All incidents are reported to the Audit Committee at the next scheduled Board meeting, and incidents of high severity level are immediately reported to the Audit Committee. The Audit Committee of our Board of Directors is responsible for overseeing cybersecurity risk management. For each Audit Committee meeting, the Director of Information Technology prepares an updated cybersecurity dashboard, featuring key metrics such as threat detection rates and response times. Additionally, the Director of Information Technology provides an annual cybersecurity briefing to the Audit Committee. External penetration tests and process audits, conducted at regular intervals, are reported directly to the Audit Committee by our third-party firm. These comprehensive measures help to ensure that the Committee remains well-informed and proactive in their oversight of cybersecurity risks. (1) Our Director of Information Technology has more than 25 years of IT experience. He joined the company in 2000 as an application developer and has held multiple positions of authority including project management and IT operations management. He holds a bachelor s degree and MBA from the University of South Carolina. Our Manager of IT security has more than 20 years of IT experience. He joined the company in 2015 as a Systems Engineer and was promoted to his current position in 2020. Prior to joining Rayonier, he worked as an Infrastructure Engineer at Enterprise Integration (EI), a managed services provider. Prior to joining EI, he held various IT roles in support and engineering. (2) A medium severity incident level is defined as incidents that have a moderate impact on business operations or data integrity and might affect internal systems and could potentially lead to limited unauthorized access to sensitive information. A high severity incident level is defined as incidents that pose a significant threat to business operations, data integrity, or confidential information. This level of incident may have legal, regulatory and public relations implications. 26 Table of Contents

Company Information