Janus International Group, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Janus International Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:35:21 EST.

Filings

10-K filed on 2024-02-28

Janus International Group, Inc. filed an 10-K at 2024-02-28 16:35:21 EST
Accession Number: 0001839839-24-000066

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Organizations in our industry are frequently confronted with a broad range of cybersecurity threats, ranging from uncoordinated, individual attempts to gain unauthorized access to an organization s information technology ( IT ) environment to sophisticated and targeted cyberattacks sponsored by foreign governments and criminal enterprises. Although we employ comprehensive measures to prevent, detect, address, and mitigate these threats, a cybersecurity incident could potentially result in the misappropriation, destruction, corruption, or unavailability of critical data, personal identifiable information, and other confidential or proprietary data (our own or that of third parties) and the disruption of business operations. The potential consequences of a material cybersecurity incident include remediation and restoration costs, reputational damage, litigation with third parties, and diminution in the value of our investment in research and development, which in turn could adversely affect our competitiveness and results of operations. Accordingly, cybersecurity is an important part of our Enterprise Risk Management ( ERM ) program, and the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach. The Company s cybersecurity policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats and responding to cybersecurity incidents are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization, and other applicable industry standards. The Company has established certain controls and procedures, including an Incident Response Plan, that provide for the identification, analysis, notification, escalation, communication, and remediation of data security incidents at appropriate levels so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. In particular, the Company s Incident Response Plan: (i) is designed to identify and detect information security threats through various mechanisms, such as through security controls and third-party disclosures; and (ii) sets forth a process to (a) analyze any such threats detected within the Company s IT environment or within a third-party s IT environment, (b) contain cybersecurity threats under various circumstances, and (c) better ensure the Company can recover from cybersecurity incidents to a normal state of business operations. The Company has established and maintains other incident response and recovery plans that address the Company s response to a cybersecurity incident. We have cybersecurity insurance (subject to specified retentions or deductibles) related to cybersecurity incidents that addresses costs, losses, and expenses related to cybersecurity investigations, crisis management, notification processes and credit monitoring services, public relations, and legal advice. Additionally, this cybersecurity insurance may cover certain physical injury to, loss or destruction of tangible property, including loss of use thereof, or loss of use of tangible property which has not been physically injured or destroyed. However, damages, fines, and claims arising from such incidents may not be covered or may exceed the amount of any insurance available or may not be insurable. As part of its cybersecurity program, the Company deploys comprehensive measures to deter, prevent, detect, respond to and mitigate cybersecurity threats, including firewalls, anti-malware, intrusion prevention and detection systems, identity and access controls, software patching protocols, physical security measures, multi-factor authentication, and other tools to detect data exfiltration. The Company periodically assesses and tests the Company s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents by assessing current threat intelligence from various sources, including but not limited to, certain key vendors, the United States Cybersecurity & Infrastructure Security Agency ( CISA ), and the open source threat intelligence community via open-source threat intelligence databases. Furthermore, we conduct periodic table top exercises, vulnerability and security testing, and lessons learned reviews from internal and industry related cybersecurity incidents. We have a process to report material results of such testing and assessments to the Board and our Audit Committee, and periodically make adjustments to our cybersecurity program based on these exercises and reviews. The Company engages third parties to conduct certain aspects of such testing and to assist with the Managed Detection and Response ( MDR ) of security events as well as the collection and reporting of data for cybersecurity key performance indicators (i.e., KPIs). The Company seeks to identify and oversee cybersecurity risks presented by third parties and their systems from a risk-based perspective through a vendor management program, including annual reviews of key vendors adherence to cybersecurity compliance, the monitoring of alerts from CISA, as well as open-source threat intelligence. Some of our IT systems and products operate within a hosted architecture or by third-party service providers, and if these third-party IT environments fail to operate properly, our systems and products (including our Nok Smart Entry System) could stop functioning for a period of time, which could put our users at risk. Accordingly, our ability to keep our business operating is highly dependent on the proper and efficient operation of IT service providers, and our vendor management process is an important part of our risk mitigation strategy. In particular, we review Service Organization Controls ( SOC ) reports describing vendors compliance with cybersecurity best practices when they are available or an appropriate subset of those controls for vendors who do not have a SOC report. Notwithstanding, if there is a catastrophic event, such as an adverse weather condition, natural disaster, terrorist attack, security breach, or other extraordinary event, we, and our service providers, may be unable to provide our services and products for the duration of the event and/or a time thereafter. In light of the pervasive and increasing threat from cyberattacks, the Board and the Audit Committee, with input from management, assess the Company s cybersecurity threats and the measures implemented by the Company in an effort to mitigate and prevent cyberattacks. The Audit Committee consults with management regarding ongoing cybersecurity initiatives, and requests management to report to the Audit Committee or the full Board regularly on their assessment of the Company s cybersecurity program and risks. Both the Audit Committee (on no less than a quarterly basis) and the full Board (on no less than an annual basis) receive regular reports from our Information Technology Department on cybersecurity risks, timely reports regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates 21 regarding any such incident until it has been addressed. We anticipate these reporting activities will be overseen by our newly appointed Chief Information Officer ( CIO ) moving forward. The Company s information security and cybersecurity program is managed by a dedicated CIO, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The CIO provides periodic reports to our Board and Audit Committee as well as our Chief Financial Officer and other members of our senior management as appropriate. We have also established cross-functional teams to collaborate and communicate on cybersecurity-related issues. The reports to management include updates on the Company s cyber risks and threats, the status of projects to strengthen the Company s information security systems, assessments of the information security program, and the emerging threat landscape. Specifically, our management-driven ERM Committee and Incident Response team include executives from key departments across the Company and each work collaboratively to ensure periodic reviews and assessments of the Company s security environment are being observed. In November 2023, the Company appointed its first CIO, Phil Stevens, who served as both a CIO and Chief Technology Officer in previous roles, prior to joining the Company. Mr. Stevens has more than 25 years of experience in privately held and publicly traded companies and has an established track record of developing and overseeing various cybersecurity programs. Mr. Stevens holds a Bachelor of Science (B.S.) in Computer Science from Purdue University, a Master of Science (M.S.) in Information Technology from the Florida Institute of Technology, and specializations in AI Product Management and Machine Learning Operations (MLOps) from Duke University (Online). As of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Company Information