CRH PUBLIC LTD CO 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

CRH PUBLIC LTD CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 06:25:45 EST.

Filings

10-K filed on 2024-02-29

CRH PUBLIC LTD CO filed an 10-K at 2024-02-29 06:25:45 EST
Accession Number: 0001628280-24-007773

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy CRH leverages its Enterprise Risk Management (ERM) framework to identify, assess, respond, monitor and report material cybersecurity risks facing the Company. CRH manages cybersecurity risk at multiple levels within the Company. Given CRH s wide geographic spread, the frequency and possible scale of acquisition activity, the diversity of the types of IT systems operated by CRH companies and the decentralized nature of its operations, CRH implements an amalgam of centralized and decentralized processes for IT management. Under this model, Company-level management and the management of CRH s operating subsidiaries and business units share responsibility for cybersecurity management and collaborate on assessing, identifying, and managing material risks. CRH s operating subsidiaries and business units use a variety of tools and processes to identify and manage material cybersecurity risks. Across the Company, CRH utilizes multiple monitoring tools and practices to identify and detect unusual activities and/or potential cybersecurity incidents, including potential system breaches, and to verify the effectiveness of protective measures. CRH s operating subsidiaries and business units implement various risk mitigation strategies, including continuously strengthening security measures, improving incident response plans through post-incident evaluations and assessments, investing in security technologies, providing regular and focused employee training, and transferring risk through cybersecurity insurance. At the Group level, CRH conducts a semi-annual bottom-up risk assessment focused on CRH s operating subsidiaries and business units, including cybersecurity-related risks, which evaluates the impact and likelihood of the identified cyber risks and the effectiveness of existing security measures, policies, and procedures. CRH also requires that each operating subsidiaries completes a self-assessment regarding its cyber controls and risk, including user awareness training, email security protection, multi-factor authentication, system patch management, identity management, network segregation, antivirus and web protections, asset inventory, privileged access management, logging, monitoring, and incident response capabilities. As described further below under Cybersecurity Governance , CRH s Board and senior management receive regular briefings on cybersecurity risks facing CRH and are closely involved in identifying cybersecurity risks, developing CRH s plan for managing such risks, and continuously refining CRH s cyber defenses in response to the information gathered through the above-mentioned risk assessments. To manage the risk of a material impact on CRH s operations or financial performance due to a cybersecurity incident, CRH has implemented a mandatory Cybersecurity Incident Escalation Standard as part of its Company-wide Information Security Policy. This Standard, which is supported by relevant guidelines and procedural documentation, provides a structured approach adapted to the systems of each CRH operating subsidiary and business unit to manage the incident response process through a series of pre-defined phases, including triage, containment, eradication, recovery, and post-incident analysis. CRH also provides regular and focused training to aid employees in understanding and complying with relevant Company policies and applicable regulations, including those related to cybersecurity. Assessment and management of cybersecurity risks is a key component of CRH s broader risk governance processes as cybersecurity is a core risk facing the Company. Identification of cybersecurity risks is integrated into CRH s overall ERM framework, with a focus on risks related to information systems, data security, operational technology and technology infrastructure. CRH works closely with multiple external advisors specializing in cybersecurity to improve its ability to identify and detect, protect against, and recover from, cybersecurity incidents. In addition, CRH leverages certain managed service providers to aid in triaging and monitoring potentially malicious activities. CRH is dependent upon third-party service providers for certain IT-related services, and has systems of oversight to evaluate potential risks in certain critical third-parties on whom CRH has a material dependency. These systems would include the use of vendor security questionnaires, vulnerability assessments and annual audits. CRH has not been subject to a cyber-attack that has had a material impact on our operations or financial results. For additional information, please refer to Item 1A. Risk Factors . Cybersecurity Governance Our Board is responsible for strategy, risk and governance, including oversight of risks from cybersecurity threats. The Board has delegated to the Audit Committee primary responsibility for oversight of cybersecurity risk management and the associated internal control systems. The Audit Committee is currently made up of six independent directors with a range of relevant cybersecurity, information technology and operational technology experience. The Audit Committee receives updates at least annually from the Chief Information Security Officer (CISO) on the design and progress of key information security initiatives in addition to regular briefings on cybersecurity and management of cybersecurity-related risks from relevant members of management, including the Head of ERM and our CISO. Recent updates from the CISO have focused on the Company s information security strategy, ongoing security assessments and ongoing projects. The Audit Committee is responsible for updating the full Board on identified risks related to cybersecurity. Our executive leadership team is responsible for CRH s strategy and governance, including implementation and review of our ERM framework, which has identified cybersecurity as a core risk for CRH. CRH has established the role of CISO to provide technical leadership on a day-to-day basis in assessing and managing the Company s material cybersecurity risks and liaising with the chief information officers of CRH s Divisions. Our CISO has 25 years of experience working in IT, including more than a decade spent in prior technical and senior management roles related to cybersecurity. The divisional chief information officers have in excess of 10 years of experience, on average, in IT-related and cybersecurity-related roles and, together with the CISO, hold a variety of recognized and specialized credentials related to cybersecurity and IT. CRH also maintains a Company-wide incident response function centered in our Group Information Security (GIS) team, led by the CISO. GIS responds to potential incidents across CRH in accordance with predetermined severity classifications. In line with CRH s Cybersecurity Incident Escalation Standard and supporting guidelines and procedural documentation, incidents that are deemed potentially material to the Company and/or which may lead to the exposure of confidential or sensitive data are immediately escalated to GIS for review and, as necessary, mitigation and remediation actions are taken. GIS and the CISO also review regular attestation reports that are required to be prepared by CRH s operating subsidiaries and business units regarding cybersecurity incidents that did not meet the threshold for immediate escalation. Following cybersecurity incidents, GIS, in conjunction with members of management of CRH s operating subsidiaries and business units as necessary, conduct post-incident analysis and exercises designed to strengthen CRH s cybersecurity practices. The management Risk Committee and broader executive leadership team are briefed on the occurrence, mitigation and remediation of cybersecurity incidents on a regular basis, including ad-hoc briefings covering significant or potentially material incidents. CRH Form 10-K 17 CRH s leadership team has also identified the Risk Committee, which is made up of our Chief Financial Officer, Group General Counsel, Chief Operating Officer and the Presidents of CRH Americas and CRH Europe, as the executive oversight body for risk management, including cybersecurity risks and the work of the CISO, GIS and related teams. The Risk Committee meets quarterly with the Head of ERM to assess risks facing CRH, and, on an as-needed basis, meets with other members of CRH management regarding cybersecurity risks and developments. The Risk Committee also reviews the half-yearly risk updates that are provided to the Audit Committee prior to dissemination.

Company Information