TopBuild Corp 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

TopBuild Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:06:09 EST.

Filings

10-K filed on 2024-02-28

TopBuild Corp filed an 10-K at 2024-02-28 16:06:09 EST
Accession Number: 0001558370-24-001999

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY RISK MANAGEMENT, STRATEGY AND GOVERNANCE Cybersecurity Risk Management Program We recognize the importance of maintaining the integrity of our information technology systems and safeguarding the confidential business and personal information we receive and store about our employees, customers and suppliers. We have a cybersecurity risk management program in place designed to assess, identify and manage material risks from cybersecurity threats. Our cybersecurity risk management program is designed to employ industry best practices across our operations and business functions, including monitoring and analysis of the threat environment, vulnerability assessments, and third-party cybersecurity risks; detecting and responding to cyber attacks, cybersecurity incidents, and data breaches; cybersecurity crisis preparedness, incident response plans, and business continuity and disaster recovery capabilities; and investments in cybersecurity infrastructure and program needs. Among the key features of our program are: 24 Table of Contents Periodic independent, third-party reviews of our program and its maturity based on the National Institute of Standards and Technology (NIST) cybersecurity framework; Strategic periodic engagements of consulting firms to advise the Board and our executive officers regarding the structure and oversight of our cybersecurity risk management program, cyber strategy framework evolution, risk-based assessments, incident response services, and cyber technology; Consulting with external advisors and specialists on specific projects regarding opportunities and enhancements to strengthen our cyber practices and policies on an as needed basis; Periodic review of SOC1 and SOC2 audit reports submitted by our strategic third-party technology suppliers, as prepared by their external auditors; Ongoing cybersecurity training for employees; and Periodic testing of incident response procedures. In addition to the third parties described above, we regularly engage consultants, advisors, service providers and other third parties to help develop and manage our cybersecurity risk management program. Our cybersecurity risk management program includes technology and processes designed to maintain active security of our information technology systems. We have not experienced a material cyber breach in the last three years. We do not believe that any risks from cybersecurity threats of which we are currently aware, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For additional information regarding the risks to the Company associated with cybersecurity incidents, see In the event of a cybersecurity incident, we could experience operational interruptions, incur substantial additional costs, become subject to legal or regulatory proceedings or suffer damage to our reputation, included in Part I, Item 1A (Risk Factors) of this Annual Report. To help identify and manage cybersecurity risks associated with our use of third-party service providers, we have implemented processes to assess third-party systems which could be compromised in a manner that adversely impacts the Company and our technology systems. In this regard, we conduct due diligence of significant third-party service providers who will have access to our information technology systems and incorporate cybersecurity protections in our engagement contracts with such providers. In addition, we require such third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations. Further, our external auditor reviews our processes designed to control access to our information technology systems as part of its assessment of our internal controls. Incident Response Procedures We have in place a cyber incident response plan outlining procedures to follow in the event of a cybersecurity incident. Under the plan, we established a cross-functional critical response team (CRT) with expertise in various subject matter areas responsible for initiating and leading our incident response procedures. The CRT is under the direction of our Chief Information Officer and is comprised of our Director of Information Technology, Chief Accounting Officer, Assistant General Counsel and Chief Compliance Officer, Senior Manager of Risk and Insurance, and certain other members of management. The plan provides that our CRT will conduct an impact assessment in the event of a cybersecurity incident meeting pre-established criteria, or which may otherwise impact the operations or finances of the Company. If any such cybersecurity incident is determined by the CRT to have the potential to materially impact the Company, such event would be elevated for further review and assessment by a senior leadership team consisting of our Chief Executive Officer, Chief Financial Officer, General Counsel and, under certain circumstances, the Board. Governance Our full Board is responsible for oversight of risks from cybersecurity threats, including our cybersecurity risk management program. In carrying out its oversight responsibilities, the Board receives an annual cybersecurity assessment and quarterly scorecards from our Chief Information Officer, which cover topics related to information security, privacy and cyber risks, and our risk management processes, including the status of any recent cybersecurity events meeting specified criteria, the emerging threat landscape, and the status of capital investments in our information security infrastructure. 25 Table of Contents At a management level, our cybersecurity risk management program is led by our Chief Information Officer, who reports to our Chief Executive Officer. Under our Chief Information Officer s leadership, the cybersecurity team implements and provides governance and functional oversight for cybersecurity controls and services. The team s credentials include Certified Information Security Manager and Certified Information Systems Security Professional. To help identify, assess, and manage risks from cybersecurity threats, we have integrated cybersecurity risk management into our broader, Company-wide enterprise risk management (ERM) evaluation and strategy process, which is led by our executive officers, overseen by the Audit Committee of the Board, and reviewed annually by the full Board. Our ERM process takes a top-down, enterprise view of material risks impacting our Company, including credit, liquidity, strategy, cybersecurity, and operational risks, and is an ongoing process consisting of risk identification, risk rating, analysis and action plans, and reporting and monitoring. Employees responsible for assessing identified risks deliver an update quarterly to our senior leadership team, which consists of our Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Chief Information Officer, General Counsel, Chief Human Resources Officer, Chief Growth Officer, and Vice President of Supply Chain. Status updates with respect to these risk areas are delivered quarterly by management to the Audit Committee of the Board, and full risk assessment results are presented by management annually to the full Board.

Company Information