UFP INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

UFP INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 15:30:54 EST.

Filings

10-K filed on 2025-02-26

UFP INDUSTRIES INC filed a 10-K at 2025-02-26 15:30:54 EST
Accession Number: 0001558370-25-001595

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Overview. At UFP Industries, we recognize the importance of managing cybersecurity risks to protect our operations, data, and stakeholders. Our program is aligned with industry-recognized frameworks, including the NIST Cybersecurity Framework and CIS Top 18 Security Controls. We employ a structured approach to identify, assess, and manage potential threats, ensuring our defenses are proactive and multi-layered. Regular reviews and third-party assessments help us adapt to evolving risks, while our incident response plan and business continuity strategies are designed to minimize any operational impact from cybersecurity incidents. Risk Management and Strategy. Risks from Cybersecurity Threats . Information relating to risks from cybersecurity threats is included in this report in Item 1A under the caption " Cybersecurity breaches or other failures in our information technology systems could disrupt our business ." Our cybersecurity risk management program is designed to evaluate material threats and vulnerabilities throughout the organization and their potential impact on our operations, data, and stakeholders. Our program is reviewed and updated regularly to address emerging risks, following the NIST Cybersecurity Framework, NIST Risk Management Framework, and CIS Top 18 Security Controls. We manage cybersecurity risks through a three-step process: 1. Identify We assess our critical operational assets and those that may attract threat actors, identifying any cyber activities that could diminish asset value, hinder operational capabilities, or covertly grant access to threat actors. 2. Assess We evaluate the exposure of our assets to identified cyber risks and determine the potential operational or reputational impact if access or utilization is compromised. This assessment includes determining the materiality of these risks based on their potential impact. 3. Manage We have implemented a multi-layered defense strategy designed to secure asset access and prevent unauthorized access. We prioritize our defenses based on cost-effectiveness and risk reduction potential, using administrative, procedural, and technical controls. To improve our cybersecurity posture, we regularly engage third-party consultants for penetration testing, risk assessments, and control audits. We also monitor third-party service providers, particularly those with access to sensitive data, through contractual and oversight mechanisms designed to mitigate and monitor risks continuously. We work proactively to prevent, detect, and minimize the impact of cybersecurity incidents through a structured incident response plan. This plan is tested and reviewed regularly with simulated incidents. We maintain business continuity, contingency, and recovery plans designed to maintain resilience during incidents. Lessons learned from past incidents are integrated into our governance, policies, and technology to strengthen our defenses. As of this filing, we have not experienced any cybersecurity breach that has materially impacted our business or financial condition, nor have we identified any risks from cybersecurity threats that have materially impacted or are reasonably likely to materially impact us, including our business strategy, results of operations, or financial condition. However, we recognize that our operations involve the collection, transmission, and storage of sensitive data, which may expose us to cybersecurity threats, including unauthorized access and cyberattacks. We remain committed to identifying and managing these risks as part of our business strategy and operations. Board of Directors and Management Governance. Management’s Role . Primary responsibility for risk management, including cybersecurity risks, lies with management. Our management team actively assesses and manages material cybersecurity risks through a structured framework. The CIO and Director of Cybersecurity lead our efforts in managing these risks: ● CIO . With over 20 years of experience in the information technology space, the CIO brings expertise and strategic insight to cybersecurity, compliance, enterprise architecture, systems resilience, and digital transformation to UFP Industries. ● Director of Cybersecurity . With over 30 years of experience in the information technology space, including systems architecture, management, and cybersecurity risk management, the Director reports directly to the CIO and is responsible for day-to-day cybersecurity operations. Our cross-functional cybersecurity team, composed of experts with decades of combined experience, supports the CIO and Director in implementing our cybersecurity program. This team consults with legal, HR, and IT specialists to assess the materiality of cybersecurity risks and incidents, using a well-established Incident Response Plan that includes clear escalation measures. Board of Directors Oversight . The role of the Board of Directors with respect to our cybersecurity program is one of oversight of management, and the Board has delegated primary oversight authority over the program to the Audit Committee. The Audit Committee oversees these risks as outlined in its Charter, which mandates reviewing the company’s information technology framework, practices, and implemented controls to monitor and mitigate IT risks. The Audit Committee meets quarterly and receives reports and briefings from the CIO, Director of Cybersecurity, and the cybersecurity team on emerging threats, risk status, and mitigation strategies. The Committee engages with the cybersecurity team to increase their understanding of the specific issues facing the Company and to challenge the team as appropriate. The Committee also may consult external cybersecurity experts as needed to fulfill its oversight role. The Audit Committee regularly reports to the Board on matters addressed during the Committee’s quarterly meetings, including any material cybersecurity risks or developments. Processes for Monitoring and Mitigating Cybersecurity Risks and Incidents. We employ a structured approach to monitor and mitigate risks through: ● Regular network and system monitoring for potential threats. ● Regular vulnerability assessments and penetration testing. ● Implementation of technical controls such as firewalls, intrusion detection systems, and encryption. ● Employee training and awareness programs. ● Incident response plans designed for swift and effective mitigation. ● Software and vendor risk assessments. ● Vulnerability management solutions prioritizing patching based on risk. ● Privileged account management solutions for administrative access. These measures aim to prevent, detect, and respond to cybersecurity incidents effectively. They are regularly reviewed and updated to adapt to evolving threats. In the event of an incident, our Incident Response Plan, which takes into account the perceived materiality of the incident with an appropriate escalation matrix, guides our response. Incident reports are compiled, reviewed by management, and shared with the CIO, CFO, the Audit Committee, and other key leaders, as appropriate, for resource allocation and risk mitigation planning.

Company Information