VALMONT INDUSTRIES INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

VALMONT INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 15:52:14 EST.

Filings

10-K filed on 2024-02-28

VALMONT INDUSTRIES INC filed an 10-K at 2024-02-28 15:52:14 EST
Accession Number: 0000102729-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C in this report. While these measures are designed to prevent, detect, respond to, and mitigate unauthorized activity, there is no guarantee that they will be sufficient to prevent or mitigate the risk of a cyberattack whether experienced directly through our information technology systems and networks or third-party service providers, or allow us to detect, report, or respond adequately in a timely manner. Successful cybersecurity attacks or other security incidents could result in the loss of key innovations in artificial intelligence, Internet of Things, or other disruptive technologies; the loss of access to critical data or systems through ransomware, crypto mining, destructive attacks, or other means; and business delays, service or system disruptions, or denials of service. This could lead to legal risk, fines and penalties, negative publicity, theft, modification or destruction of proprietary information or key information, manufacture of defective products, production downtimes, and operational disruptions, which could adversely affect our reputation, competitiveness, and results of operations. Regulatory and business developments regarding climate change could adversely impact our operations and demand for our products. Regulatory and business developments regarding climate change could adversely impact our operations. We follow the scientific discussion on climate change and related legislative and regulatory enactments, including those under consideration, to deliberate the potential impact on our operations and demand for our products. The scientific discussion on the presence and scope of climate change and the attention that domestic and international legislatures and regulatory authorities have given to enacting or considering laws or rules related to climate change are expected to continue. The production and market for our products are subject to the impact of laws and rules related to climate change. Our customers and our operating segments are exposed to risks of increased costs to comply with such laws and rules, including increased costs for raw materials and transportation, as well as exposure to damage to our respective business reputations upon any failure of compliance. Other adverse consequences of climate change could include an increased frequency of severe weather events and rising sea levels that could affect operations at our manufacturing facilities, the price of insuring our assets, or other unforeseen disruptions of our operations, systems, property, or equipment. 16 Table of Contents ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy Our information security program covers a range of cybersecurity activities with a primary objective of maintaining the confidentiality, integrity, and availability of information for our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan that is exercised regularly with tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessment integrated with technology acquisition processes and utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring. We measure our security performance against the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organization data and operational processes. Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards and considers both risks and benefits of privacy-driven spending. The program operating model is based on the General Data Protection Regulation, which is adjusted for specific local requirements. The operating model is scalable to manage strategic, operational, legal, compliance, and financial risks and benefits, and uses technology to automate portions of the program, such as data subject access requests and consent and preference management. Our membership on the Data Privacy Board, a group comprised of some of the world s largest companies with a mission to help members engage in confidential, leader-level discussion, presents opportunities using unbiased benchmarking and support from peers in various industries. We continue to build privacy resilience across international operating environments. We work with third-party vendors to enhance our processes against the occurrences and impact of unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and strategy for cybersecurity. See Risk Factors in Part I, Item 1A in this report for further discussion. Governance The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight with respect to operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee. Our Director of Security has extensive experience implementing and managing cybersecurity policies including oversight of investments in tools, resources, and processes that allows for the continued maturity of our cybersecurity program. Team members who support our information security program have relevant educational and industry experience. Our CEO, Chief Financial Officer, and Audit Committee receive regular reports provided by our Director of Security on the Company s risk and compliance with respect to cybersecurity matters including data privacy, incidents, and industry trends, along with prevention, detection, mitigation, and remediation of cyber incidents.
ITEM 1C. CYBERSECURITY Risk Management and Strategy Our information security program covers a range of cybersecurity activities with a primary objective of maintaining the confidentiality, integrity, and availability of information for our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan that is exercised regularly with tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessment integrated with technology acquisition processes and utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring. We measure our security performance against the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organization data and operational processes. Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards and considers both risks and benefits of privacy-driven spending. The program operating model is based on the General Data Protection Regulation, which is adjusted for specific local requirements. The operating model is scalable to manage strategic, operational, legal, compliance, and financial risks and benefits, and uses technology to automate portions of the program, such as data subject access requests and consent and preference management. Our membership on the Data Privacy Board, a group comprised of some of the world s largest companies with a mission to help members engage in confidential, leader-level discussion, presents opportunities using unbiased benchmarking and support from peers in various industries. We continue to build privacy resilience across international operating environments. We work with third-party vendors to enhance our processes against the occurrences and impact of unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and strategy for cybersecurity. See Risk Factors in Part I, Item 1A in this report for further discussion. Governance The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight with respect to operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee. Our Director of Security has extensive experience implementing and managing cybersecurity policies including oversight of investments in tools, resources, and processes that allows for the continued maturity of our cybersecurity program. Team members who support our information security program have relevant educational and industry experience. Our CEO, Chief Financial Officer, and Audit Committee receive regular reports provided by our Director of Security on the Company s risk and compliance with respect to cybersecurity matters including data privacy, incidents, and industry trends, along with prevention, detection, mitigation, and remediation of cyber incidents.

Company Information