BEACON ROOFING SUPPLY INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

BEACON ROOFING SUPPLY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 11:24:01 EST.

Filings

10-K filed on 2024-02-28

BEACON ROOFING SUPPLY INC filed an 10-K at 2024-02-28 11:24:01 EST
Accession Number: 0001124941-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have an information security program in place to safeguard our information systems and protect our confidential data. This cybersecurity risk management program is integrated into our broader enterprise risk management framework, under a Risk Committee that is led by our Chief Financial Officer and includes our Chief Technology Officer, who is responsible for cybersecurity and information technology matters, General Counsel, Chief Accounting Officer, Chief Human Resources Officer, Chief Commercial Officer, and other business and strategy leaders. The Risk Committee identifies, assesses, and manages enterprise level risks facing the Company, taking into account likelihood of occurrence and potential impact. The Risk Committee reports to our Executive Committee and this process is primarily overseen by the Audit Committee of our Board. Our Executive Committee consists of the Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Technology Officer, Chief Human Resources Officer, Chief Commercial Officer, and Vice President, Communications and Corporate Social Responsibility. Our information security program aligns with industry standards and best practices, such as the Center for Internet Security Critical Security Controls ( CIS Controls ). It consists of information security and privacy policies and procedures, which include, among other things, endpoint threat detection and response, identity and access management, vulnerability and patch management, and multi-factor authentication. 15 We also provide new hire and annual security awareness and privacy training to employees. We conduct monthly phishing assessment exercises to ensure employees are aware and educated about phishing threats and are trained to identify and report them. In addition, targeted training is conducted for key departments dealing with sensitive data types. We use third-party security firms to assist us in performing assessments annually and penetration testing regularly throughout the year on our applications, networks, and environments. We perform an annual review to verify our compliance with the Payment Card Industries Data Security Standards ( PCI DSS ). We use a variety of methods to oversee and identify material cybersecurity threats related to the use of third-party technology and services. By way of example, we perform diligence with respect to third parties, obtain contractual protections, and utilize third-party risk monitoring security rating services. In the event of a security issue, we have a written incident response plan and have retained trusted experts to assist us in quickly triaging, containing, and understanding the issue. Our management team periodically reviews our response readiness and completes tabletop exercises on potential cybersecurity breaches with the assistance of a third-party cybersecurity consultant. We use the results from these exercises to enhance our response plan and cybersecurity protections going forward. We are not aware of any material risks from cybersecurity threats that have materially impaired or could materially impair our business, results of operations, or financial condition. However, our information security controls, no matter how well designed or implemented, will not fully eliminate cybersecurity risk. It is possible that we are unable to detect or underestimate certain vulnerabilities, or that we may not effectively implement security controls as intended. The Company does manage information security issues that are immaterial individually and in the aggregate from time to time as part of our routine operations. For additional information regarding how cybersecurity threats could potentially materially affect our business strategy, results of operations or financial condition, see Part 1, Item 1A Risk Factors Risks Related to Information Technology . Interruption, interference with, or failure of information technology systems could hurt our ability to effectively provide our product and services, which could harm our reputation, financial condition, operating results and cash flows. Governance Board Oversight . The Audit Committee assists the Board in fulfilling its fiduciary duties regarding cybersecurity risk oversight. The Audit Committee is composed of directors with diverse professional experience, including three members with backgrounds in cybersecurity. We believe this expertise enables our Audit Committee to effectively oversee our cybersecurity risks and incident response plans. For more information on our directors expertise, see our definitive proxy statement for our 2024 Annual Meeting of Stockholders to be filed with the SEC. Our Chief Technology Officer briefs the Audit Committee of our Board quarterly, and our full Board annually, regarding cybersecurity risks and information security matters, including the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives and projects, the results of any third-party security ratings or assessments of our cybersecurity program, and regulatory updates. Members of management also provide regular updates to the Audit Committee on the categorization and management of enterprise risks, including information security risks. In addition, the Board participates in ongoing education and periodic tabletop exercises on cybersecurity breach response planning. Management s Role . Our Vice President, IT Technical Services reports to our Chief Technology Officer and is the head of our cybersecurity team. He is responsible for assessing and managing our cybersecurity management program, informs our Chief Technology Officer regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents, and supervises and monitors such efforts. Our Chief Technology Officer has more than 20 years of experience in cybersecurity and information systems management, and our Vice President, IT Technical Services has nearly three decades of experience managing information systems, network infrastructure, and cybersecurity in the public and private sectors. This combined in-depth knowledge and experience has been critical in developing and implementing our cybersecurity programs. In addition to quarterly reports to the Audit Committee, as an Executive Vice President and member of the Executive Committee, our Chief Technology Officer regularly briefs the Executive Committee on the threat landscape, the Company s cybersecurity programs and risks, so that the highest level of management is regularly informed of cybersecurity issues for decision-making and guidance. 16 ITEM 2. PROPERTIES As of December 31, 2023, we leased 515 branch facilities and 6 non-branch facilities throughout the United States and Canada. These leased facilities range in size from approximately 2,000 square feet to 260,000 square feet. In addition, as of December 31, 2023, we owned 18 branch facilities. These owned facilities range in size from approximately 11,500 square feet to 68,000 square feet. We believe that our properties are in good operating condition and adequately serve our current business operations. The following table summarizes the locations of our branches and facilities as of December 31, 2023: Location Branches Non-Branch Facilities U.S. State Alabama 10 Alaska 1 Arizona 5 Arkansas 5 California 40 Colorado 15 Connecticut 6 1 Delaware 3 Florida 41 Georgia 16 Hawaii 2 Idaho 2 Illinois 17 Indiana 8 Iowa 3 Kansas 14 Kentucky 6 Louisiana 9 Maine 4 Maryland 18 Massachusetts 13 Michigan 11 Minnesota 6 1 Mississippi 5 Missouri 11 Montana 1 Nebraska 7 Nevada 3 New Hampshire 4 New Jersey 19 1 New Mexico 1 New York 15 North Carolina 23 1 North Dakota 2 Ohio 10 Oklahoma 7 Oregon 7 Pennsylvania 30 Rhode Island 1 South Carolina 10 17 Location Branches Non-Branch Facilities South Dakota 2 Tennessee 12 Texas 41 1 Utah 5 Vermont 1 Virginia 16 1 Washington 14 West Virginia 4 Wisconsin 7 Wyoming 2 Total United States 515 6 Canadian Province Alberta 2 British Columbia 2 Nova Scotia 1 Ontario 6 Quebec 6 Saskatchewan 1 Total Canada 18 Total All 533 6 18 ITEM 3. LEGAL PROCEEDINGS From time to time, we are involved in legal proceedings and governmental investigations arising in the ordinary course of business, including product-related, personal injury, employment, environmental, property, or commercial matters. These proceedings may also include actions brought against us with respect to corporate matters and transactions in which we were involved. The defense of these proceedings and governmental investigations may require significant expense and require management s time and attention and, depending on the resolution of the proceedings and investigations, we could be required to pay damages or fines. We accrue a liability for legal claims when payments associated with the claims become probable and the costs can be reasonably estimated. The actual costs of resolving legal claims may be substantially higher or lower than the amounts accrued for those claims, and insurance or indemnification rights may be insufficient or unavailable to protect the Company against all loss exposures. Our reputation could be negatively affected by publicity resulting from adverse outcomes in legal proceedings or governmental investigations. See Note 15 in the Notes to Consolidated Financial Statements for information about pending legal proceedings and governmental investigations. ITEM 4. MINE SAFETY DISCLOSURES Not applicable. 19 PART II ITEM 5. MARKET FOR REGISTRANT S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES Our common stock trades on the Nasdaq Global Select Market (the Nasdaq ) under the symbol BECN . As of February 9, 2024, there were 43 registered holders of record of our common stock. We have not paid cash dividends on our common stock and do not anticipate paying dividends in the foreseeable future. Our Board currently intends to retain any future earnings for reinvestment in our growing business. Any future determination to pay dividends will also be at the discretion of our Board and will be dependent upon our results of operations and cash flows, our financial position and capital requirements, general business conditions, legal, tax, regulatory and any contractual restrictions on the payment of dividends, and any other factors our Board deems relevant. Stock Performance Graph This stock performance graph shall not be deemed soliciting material or to be filed with the SEC for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the Exchange Act ), or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any filing of Beacon Roofing Supply, Inc. under the Securities Act of 1933, as amended, or the Exchange Act. The performance of Beacon Roofing Supply, Inc. s common stock depicted in the stock performance graph represents historical results only and is not necessarily indicative of future performance. The following graph compares the cumulative total stockholder return on Beacon Roofing Supply, Inc. s common stock (based on market prices) for the last five fiscal years (plus the Transition Period ending December 31, 2021) with the cumulative total return on (i) the Nasdaq Index and (ii) the S&P 1500 Trading Companies & Distributors Index, assuming a hypothetical $100 investment in each on September 30, 2018 and the re-investment of all dividends. The closing price of our common stock on December 31, 2023, was $87.02. *The cumulative five year total return is inclusive of the Transition Period ending December 31, 2021. 20 Base Period INDEXED RETURNS Company / Index 9/30/2018 9/30/2019 9/30/2020 9/30/2021 12/31/2021 12/31/2022 12/31/2023 Beacon Roofing Supply, Inc. 100 92.65 85.85 131.97 158.47 145.87 240.45 Nasdaq Index 100 100.52 141.70 184.58 200.17 135.04 195.33 S&P 1500 Trading Companies & Distributors Index 100 91.76 113.45 155.81 182.07 173.77 260.64 Issuer Purchases of Equity Securities The following table provides information with respect to our purchases of common stock during the fourth quarter of 2023 (in millions, except share and per share amounts): Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plans or Programs 1,2 Maximum Approximate Dollar Value of Shares that May Yet Be Purchased Under the Plans or Programs October 1 - 31, 2023 $ $ 400.1 November 1 - 30, 2023 140,000 78.52 140,000 $ 389.1 December 1 - 31, 2023 $ 389.1 Total 140,000 $ 78.52 140,000 1. On February 24, 2022, the Company announced a program to repurchase up to $500.0 million of its common stock. On February 23, 2023, the Company announced that its Board authorized and approved an increase of the Repurchase Program by approximately $387.9 million, permitting future share repurchases of $500.0 million. 2. All repurchases were made through open market transactions. See Note 8 in the Notes to Consolidated Financial Statements for additional information on our share repurchase program. ITEM 6. [RESERVED] Not applicable. 21 ITEM 7. MANAGEMENT S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS The following discussion and analysis should be read in conjunction with our consolidated financial statements and related notes and other financial information appearing elsewhere in this Annual Report on Form 10-K. All references to 2023 and 2022 are referring to the twelve-month periods ended December 31 for each of those respective fiscal years. This section of this Annual Report on Form 10-K generally discusses 2023 and 2022 items and year-to-year comparisons between such periods. Discussions of items from 2022 and the twelve-month period ended September 30, 2021 (the Company s 2021 fiscal year) and year-to-year comparisons between such periods that are not included in this Form 10-K can be found in Part II, Item 7, Management s Discussion and Analysis of Financial Condition and Results of Operations in our Annual Report on Form 10-K for the year ended December 31, 2022. Discussions of year-to-year comparisons between the three-month periods ended December 31, 2021 and 2020 that are not included in this Form 10-K can be found in Part I,

Company Information