RPM INTERNATIONAL INC/DE/ 10-K Cybersecurity GRC - 2025-07-24

Page last updated on July 27, 2025

RPM INTERNATIONAL INC/DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-07-24 15:35:26 EDT.

Filings

10-K filed on 2025-07-24

RPM INTERNATIONAL INC/DE/ filed a 10-K at 2025-07-24 15:35:26 EDT
Accession Number: 0000950170-25-098313

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security. Our cyber-security risk strategy includes policies and procedures for assessing, identifying and managing material cybersecurity threats. Our program is based on the U.S. National Institute for Standards and Technology (NIST) cybersecurity framework and other applicable industry frameworks. Our cybersecurity posture is risk based, focused on the areas of higher risk to the company and associates. Our cybersecurity policies, standards and practices are integrated into our enterprise risk management approach, and cybersecurity risks are among the enterprise risks that are subject to oversight by the Board of Directors acting through the Audit Committee of the Board of Directors. We use third party vendors to perform ongoing security monitoring, reporting and forensic analysis, including annual external penetration testing. Security standards are established and defined with respect to administrator accounts, backups, encryption, passwords, website certifications, antivirus software, endpoint management, firewalls, wi-fi networks, vulnerability scanning, server protection, patching, privacy by design, and data breach reporting. We perform ongoing employee cybersecurity awareness and training activities, which includes frequent phishing testing, and we maintain cyber insurance coverage. We conduct annual internal audits to test compliance with our technology policies, security procedures and controls. Our third-party information technology providers, consultants and vendors are vetted by our information security teams to assess cybersecurity risks and mitigation measures, where applicable . We continue to increase our cybersecurity investments and safeguards designed to detect and prevent cybersecurity incidents. Notwithstanding our increased cybersecurity investments and preparedness activities, threat actors and cybersecurity incidents continue to pose a risk to the security of our systems, facilities, and networks and to the confidentiality, availability and integrity of our data, including but not limited to intellectual property, confidential information and personal data. Cybersecurity incidents are investigated and remediated in accordance with our incident response procedures and other policies and procedures. For more information on how a cybersecurity incident may impact the Company, refer to the risk factor titled “Cybersecurity threats, data privacy compliance, and use of artificial intelligence could have a negative impact on our business,” in Item 1A of this Form 10-K. While we have experienced cybersecurity incidents that have disrupted our operations in the past, to date, no cybersecurity incidents have had or are materially likely to have, a material impact on RPM. Cybersecurity is overseen by the Audit Committee of the Board of Directors. The Senior Director - Information Security coordinates with and directs cybersecurity initiatives through information technology and cybersecurity personnel throughout RPM. The Senior Director - Information Security has over 15 years’ experience in the information technology and cybersecurity field as well as over 15 years’ experience in auditing information security, including previous roles in information security architecture, information technology and information security audit and governance. The Senior Director - Information Security has completed a CISO Academy Workshop, where he gained valuable insights to help improve our cybersecurity posture and program while also better aligning it to our overall business strategy and operating model. He received a BA in math and computer science from Ohio Wesleyan University and holds an Information Systems Auditor certification. The Audit Committee regularly receives information and reports from the Senior Director - Information Security and other executives responsible for identifying and assessing the scope, nature and impact of cybersecurity risks, incidents and mitigation efforts . In addition to the Audit Committee, the full Board of Directors receives reports on the status of our cybersecurity risks, incidents and mitigation efforts either from the Audit Committee or from the Senior Director - Information Security and other executives. We utilize a technology-based reporting system to identify and log data-related events. Cybersecurity incidents are assessed for actual or potential impact on the business and any relevant data subjects. Materiality of cybersecurity incidents is assessed and determined by the Cybersecurity Team, which has been assigned this responsibility by our Disclosure Committee. The Cybersecurity Team consists of the Chief Financial Officer, the General Counsel, the Vice President - Commercial Excellence, the Vice President - Global Systems and the Senior Director - Information Security. The Senior Director - Information Security reports regularly to our Disclosure Committee. In the event a cybersecurity incident is determined to have, or is likely to have, a material impact on the Company, the Chair of the Audit Committee of the Board of Directors is directly notified by the General Counsel in coordination with the Chief Financial Officer and Senior Director - Information Security.

Company Information