MasterBrand, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

MasterBrand, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 11:57:27 EST.

Filings

10-K filed on 2024-02-27

MasterBrand, Inc. filed an 10-K at 2024-02-27 11:57:27 EST
Accession Number: 0001941365-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are committed to protecting the confidentiality and integrity of our data, as well as the data of our associates and customers. The mission of our cybersecurity program is to protect the assets used to create products, generate revenue, and service customers while complying with industry frameworks. Our cybersecurity program consists of three key pillars: cyber defense, governance and compliance, and risk management. Each of these pillars consists of controls and processes that are aligned with the National Institute of Standards and Technology Cyber Security Framework. Managing cybersecurity risk and maintaining a secure, reliable, and functional corporate network and data systems are among our highest priorities. As a result, we have implemented practices, procedures, processes, and management mechanisms to help us achieve a robust cybersecurity environment. Governance Our Board delegates to the Audit Committee the oversight of our programs, policies, and procedures related to cybersecurity, information asset security, network security, and data privacy and protection. Broad oversight is maintained by our full Board, which receives a report from the Audit Committee at least annually. 23 Table of Contents Our VP, Cyber Security and Risk oversees our cybersecurity matters and has over 20 years of experience in cybersecurity and is a Certified Information Security Services Professional (CISSP). Our VP, Cyber Security and Risk reports to both the Audit Committee and the Board at least once a year, or more frequently as needed. The Audit Committee reviews and discusses with Company management key process and risk indicators, progress on plans to address keys risks, and any material changes in threat landscapes or risk posture which could negatively affect our business. Risk Management and Strategy Cybersecurity risk management is a critical component of our overall enterprise risk management program. We consider cybersecurity to be a key risk, and we prioritize mitigating those risks. Our cyber defense practices prioritize protection against cyber threats. We have operationalized a written incident response plan designed to assess, identify, address, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity and availability of our business and information systems. We perform periodic cybersecurity assessments, including with the assistance of external third parties, to identify, assess, and prioritize potential risks that could affect our information and data assets and infrastructure. In addition, we use a threat intelligence platform to routinely monitor risks specific to both our organization and third parties. Risks we identify are assessed based on severity and are addressed as appropriate through both tactical and strategic plans. Our governance and compliance practice focuses on cybersecurity and data privacy policy taxonomy and policy compliance. We have implemented a number of measures to enhance the security and resiliency of our network and information and data systems. These measures include, but are not limited to: (i) user access control management; (ii) intrusion detection and prevention systems; (iii) information security continuity measures, including redundant systems and information backups; (iv) network segmentation; (v) encryption of critical information and data; (vi) event logging; (vii) implementation of an application patching and update cadence; and (viii) incident response planning. Training and Awareness Our associates are a critical part of our defense against potential cybersecurity incident exposure. All of our associates and contractors have a responsibility and a role to play by complying with our cybersecurity operational practices and reporting any potential cybersecurity incidents or exposures to our cybersecurity team. To ensure that associates can play their part in protecting our networks and data from cybersecurity incident exposure, all of our associates receive cybersecurity training in the form of online modules on an annual basis, routine simulations, and newsletters. Material Cybersecurity Risks, Threats & Incidents We are not aware of any cyber event that has had a material effect on our business. However, we cannot assure that we will not experience any such event in the future. Any security breach or other significant disruption involving our computer networks and related systems could cause substantial costs and other negative effects, including litigation, remediation costs, costs to deploy additional protection strategies, compromising of confidential information, and reputational damage adversely affecting investor confidence. Further, a penetration of our systems or a third-party s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See Item 1A. Risk Factors for further details on risks related to potential breaches of our information technology systems.

Company Information