NUCOR CORP 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

NUCOR CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:21:09 EST.

Filings

10-K filed on 2024-02-27

NUCOR CORP filed an 10-K at 2024-02-27 16:21:09 EST
Accession Number: 0000950170-24-021195

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Nucor recognizes the importance of developing, implementing, and maintaining effective cybersecurity measures designed to protect our information systems and the confidentiality, integrity, and availability of our data. We face a number of information technology and cybersecurity threats which could have an adverse effect on our business and results of operations. Notwithstanding the Company s cybersecurity framework and preventative strategies, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. Risk Factors for a discussion of cybersecurity risks. 25 Risk Management and Strategy Overview We have developed and implemented a cybersecurity risk management program that is intended to enable us to assess, identify, and manage risk associated with cybersecurity threats. Our program is based on the Cybersecurity Framework promulgated by the National Institute of Standards and Technology and other applicable industry standards, and includes the following key elements: identification and assessment of cybersecurity threats based on internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources such as those made available by the United States Cybersecurity and Infrastructure Security Agency; technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, technical controls, and employee education and awareness; processes to detect the occurrence of cybersecurity events, and maintenance and regular testing of incident response and recovery and business continuity plans and processes; and a third-party risk management process to manage cybersecurity risks associated with our service providers, suppliers, and vendors. The program is designed to foster a culture of cybersecurity risk management across the Company. Integrated Overall Risk Management Assessing, identifying, and managing cybersecurity-related risks is integrated into our overall risk management framework. The Company conducts an annual cybersecurity risk assessment and reports the most significant risks and associated planned mitigation strategies to the Audit Committee of the Board of Directors. The annual risk assessment is carried out under the supervision of the President of Nucor Business Technology, the Company s Cybersecurity Director, and the Company s Vice President and Corporate Controller. See Governance below. The Board also regularly receives focused presentations regarding cybersecurity risks from the Company s Cybersecurity Director. Third-Party Engagement Due to the complexity and ever-changing nature of cybersecurity threats, Nucor engages a range of external experts to assist in its assessment, identification, and management of risks from cybersecurity threats. These include cybersecurity assessors, forensic and incident response experts, and auditors to review the Company s cybersecurity posture and responsive efforts. Our relationships with these external partners enable us to leverage their expertise with the goal of maintaining best practices. Oversight of Third-Party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact Nucor in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. Those processes include limiting the exposure of our information systems to external systems to the least practicable amount, assessing the third parties information security practices before allowing them to access our information systems or data, requiring the third parties to implement appropriate cybersecurity controls in our agreements with them, and conducting ongoing monitoring of their compliance with those requirements. We also utilize third-party risk and compliance monitoring services to monitor our service providers, suppliers, and vendors and to augment the effectiveness of our risk mitigation efforts in this area. 26 Risks from Cybersecurity Threats As of the date of this report, no risks from cybersecurity threats, including as a result of cybersecurity incidents we have experienced in the past, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Governance The Company seeks to ensure effective governance in managing risks associated with cybersecurity threats, as more thoroughly described below. Board of Directors Oversight The Audit Committee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. The Audit Committee is composed of directors with a wide range of experience, including risk management and controls, and technology. See Integrated Overall Risk Management above. Management s Role in Cybersecurity Risk Management A division of the Company known as Nucor Business Technology, or NBT, is responsible for the Company s information technology needs, including cybersecurity risk assessment and management. NBT s cybersecurity function is led by the Cybersecurity Director, who reports to the President of NBT, who in turn reports to the Company s Chair, President, and Chief Executive Officer. The current Cybersecurity Director has twenty years of experience in the cybersecurity field and has broad expertise in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, and incident response. The Company also has a Risk Committee composed of the following members of the Company s management: Executive Vice President, Business Services & General Counsel President, Nucor Business Technology Vice President and Corporate Controller Vice President and General Manager, Corporate Legal Affairs General Manager of Internal Audit Cybersecurity Director Manager of External Reporting The Risk Committee is responsible for overseeing the Company s response to cybersecurity incidents. The Risk Committee and the Chair, President, and Chief Executive Officer inform the Audit Committee and the Board of Directors on cybersecurity risks. Monitoring of Cybersecurity Incidents The Cybersecurity Director implements and oversees our processes for regularly monitoring our information systems. This includes security measures and regular audits to identify potential issues. In the event of a cybersecurity incident, we have an established incident response plan that requires prompt notification of the Cybersecurity Director or their designee, who in turn oversees our assessment of and response to the incident. The Cybersecurity Director is also responsible for informing the Risk Committee of cybersecurity incidents, which in turn has a detailed process for assessing the impacts of incidents and monitoring the Company s mitigation and remediation efforts. Depending on the nature of the incident, 27 this process also provides for escalating notification to senior executives, including the Chair, President, and Chief Executive Officer and to the Board of Directors.

Company Information