Worthington Steel, Inc. 10-K Cybersecurity GRC - 2025-07-29

Page last updated on July 29, 2025

Worthington Steel, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-07-29 17:20:38 EDT.

Filings

10-K filed on 2025-07-29

Worthington Steel, Inc. filed a 10-K at 2025-07-29 17:20:38 EDT
Accession Number: 0000950170-25-099742

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. - Cybersecurity Cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program is designed to provide a framework for assessing, identifying and managing cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and to facilitate coordination across different departments of our Company. Our processes include steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity countermeasures and mitigation strategies and informing management and the Board of material cybersecurity threats and incidents. We engage third-party security experts for risk assessment and system enhancements. The Company delivers annual security awareness training to employees, augmented by periodic role-specific modules and recurring phishing simulation exercises to measure user susceptibility and inform further training. The Board has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the Audit Committee of the Board. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which we are exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. The Audit Committee also reports material cybersecurity risks to the Board. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes designed to ensure that such potential cybersecurity risk exposures are monitored, putting in place mitigation measures and maintaining cybersecurity programs. Management, including the CIO and our Director of Cybersecurity, regularly updates the Audit Committee on our cybersecurity programs, which includes cybersecurity risks and mitigation strategies, a third-party risk assessment program, vulnerability management, and on-going cybersecurity projects. Our cybersecurity programs are under the direction of our Vice President and Chief Information Officer (“CIO”) who receives regular reports from our Director of Cybersecurity. The Director of Cybersecurity, oversees our dedicated cybersecurity team comprised of 2 Senior Security Engineers and 2 Security Analysts and is augmented by a 24x7 managed security services who actively manage and execute our efforts to prevent, detect, mitigate and remediate cybersecurity incidents. The Director of Cybersecurity has over 15 years of experience in cybersecurity, with demonstrated expertise in incident response, threat detection, vulnerability management, and third-party risk assessments. He holds advanced degrees in IT Project Management and Network Security and maintains industry certifications including CISSP (Certified Information Systems Security Professional) and GCIH (GIAC Certified Incident Handler). The two Senior Security Engineers have 16 and 10 years of experience, respectively. Their areas of specialization include network security architecture, endpoint protection technologies, and operational technology (OT) security integration. Both hold advanced certifications such as CISSP, GRID (GIAC Response and Industrial Defense), and GCIP (GIAC Critical Infrastructure Protection). The two Security Analysts bring 3 and 4 years of experience, respectively. Each holds a bachelor’s degree in Computer Science and maintain industry certifications including CompTIA Security+ (SEC+). Their responsibilities include real-time security monitoring, phishing simulation campaigns, and user awareness support. Collectively, the cybersecurity team brings 48 years of combined experience and is actively engaged in ongoing professional development to remain current with emerging cyber threats, technologies, and regulatory requirements. In fiscal 2025, we did not identify any cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. It is possible that we may not implement appropriate controls if we do not detect a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate the risks. Even when a risk is detected, disruptive events may not always be immediately and thoroughly interpreted and acted upon. For more information about these risks, see “Risk Factors - Risks Related to our Business” in Item 1A. of this Form 10-K.

Company Information