MUELLER INDUSTRIES INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

MUELLER INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:01:25 EST.

Filings

10-K filed on 2024-02-28

MUELLER INDUSTRIES INC filed an 10-K at 2024-02-28 17:01:25 EST
Accession Number: 0000089439-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our business operations depend on the availability, integrity and secure processing, storage, and transmission of confidential and sensitive information, digitally and through interconnected systems, including those of our vendors, service providers and other third parties on which we rely. Consequently, we maintain a formal data protection program, including physical, technical and administrative safeguards, to prevent and mitigate the risks posed by cybersecurity threats and incidents and to identify, analyze, address, mitigate and remediate those incidents that do occur. As part of our program: we regularly review and update at least annually our standard policies and procedures related to information technology and analyze those policies against the standards and controls that we believe are most relevant to our Company set by organizations such as the National Institute of Standards and Technology (NIST) cybersecurity framework and the International Organization for Standardization (ISO); we maintain a dedicated cybersecurity team under the direction of our Chief Information Officer (CIO), who has expertise related to data and network security, data governance and risk management; we regularly test our internal IT controls; we regularly conduct internal vulnerability assessments as well as third-party penetration tests; we maintain, and we require our third-party service providers to maintain, security controls designed to ensure the confidentiality, integrity, and availability of our information systems and the confidential and sensitive information we maintain and process, or which is processed on our behalf; all employees are required to complete periodic trainings that cover security and privacy best practices and company policies; and we have prepared and regularly review and test our business continuity, disaster recovery and other back-up plans, including as they relate to cybersecurity incidents. In connection with the design, implementation and testing of our cybersecurity program, we also work, as appropriate, with our accountants, independent assessors, legal counsel and other consultants. 9 We have an incident reporting and escalation process that we believe to be effective in detecting and analyzing cyber incidents as they occur to determine appropriate response action and reporting, including the materiality of any such incidents to our financial condition and operations. This process includes: continual monitoring of our systems and logs by both internal and outsourced staff; immediate escalation to and review by our CIO of certain signals, including evidence of external threat actors, ransomware attacks, data exfiltration, identity compromise or unusual requests from management or certain departments; if deemed appropriate, reporting by our CIO to the Company s senior leadership, which based on the circumstances, may include executive officers and representatives of our accounting, human resources, finance, information technology and legal functions, and consultation with internal and external legal counsel, for further review and determination of the scope and materiality of the incident or incidents, including whether public disclosure is appropriate or required; and informing our Board of Directors (the Board ) of significant or material cybersecurity incidents, as appropriate. While we, our clients and our vendors are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this report. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost client revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services, client dissatisfaction, and loss of investor confidence. Governance Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including cybersecurity and information security risk management and controls. As part of its oversight function, the Audit Committee of the Board oversees the Company s risk assessment and risk management policies, including related to cybersecurity and the data protection program, and performs an annual review and assessment of the primary operational and regulatory risks facing the Company, their relative magnitude and management s plan for mitigating these risks. At least annually, our CIO reports to the Audit Committee with a comprehensive report addressing a broad range of topics, including significant cybersecurity incidents that have occurred since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, and ongoing efforts to prevent, detect, and respond to internal and external critical threats. Our senior management is responsible for assessing and managing the Company s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through a robust enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our CIO has primary responsibility for managing our cybersecurity program and efforts. Our internal audit team is responsible for the testing and audit of our information-technology internal controls. We believe our information technology team to be well-qualified in this area. These qualifications include professional experience in the field and recent participation in IT and cybersecurity programs organized by leading institutions with expertise in the field. 10

Company Information