JEWETT CAMERON TRADING CO LTD 10-K Cybersecurity GRC - 2025-12-01

Page last updated on December 1, 2025

JEWETT CAMERON TRADING CO LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-01 16:09:08 EST.

Company Summary

Jewett-Cameron Trading Company Ltd. manufactures and distributes pet, fencing, and industrial wood products under various brands, serving retail and industrial customers across North America and globally from its headquarters in North Plains, Oregon.

Filings

10-K filed on 2025-12-01

JEWETT CAMERON TRADING CO LTD filed a 10-K at 2025-12-01 16:09:08 EST
Accession Number: 0001553350-25-000164

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our Board recognizes the critical importance of maintaining the trust and confidence of our customers, suppliers, business partners and employees. Our Board and our Audit Committee are actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management ("ERM"). Our cybersecurity policies, standards, processes, and practices are fully integrated into our ERM program and are based on recognized frameworks and applicable established industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. 14 As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas: - risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; - technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security procedures; - training and awareness programs for employees that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and procedures; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for service providers, suppliers, and vendors. Notwithstanding the measures we have put in place internally and through third party industry experts, on October 15, 2025, we learned that a threat actor had gained unauthorized access to portions of our information technology ("IT") environment and claimed to have unlawfully accessed certain Company information and data. We immediately activated our cyber incident response plan to contain the intrusion, assess and investigate the incident and implement remedial measures. We also immediately notified law enforcement, including the Federal Bureau of Investigation (FBI), and retained external cybersecurity experts to assist. Based on our investigation to date, we believe that the cybersecurity incident consisted of unauthorized access and deployment of encryption and monitoring software by a third party to a portion of our internal corporate IT systems. The incident caused disruptions and limitation of access to portions of our business applications supporting aspects of our operations and corporate functions, which we voluntarily took offline as a precautionary measure. Based on the information reviewed to date, we believe the unauthorized activity has been contained and we were able to bring the impacted portions of our IT systems and individual computer devices back online and operate at full capacity within a week of detection of the unauthorized access. Although we ascertained that certain information was exfiltrated, we are still investigating the extent of compromise of any sensitive information contained within the accessed IT systems. However, it is believed that the threat actors unlawfully accessed certain computer systems and exfiltrated images of video meetings and computer screens that may contain sensitive information. The threat actors released a portion of this information publicly and that of some of our vendors and customers since we had not acceded to their demand for a monetary payment. However, we do not believe that the threat actor was able to infiltrate the computer systems of any of our customers or vendors. We have taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access and bolstering our cyber defensive capabilities. We believe that there will be additional costs associated with these activities but that the disruption to our operations and the costs associated with our cybersecurity experts will largely be covered by adequate insurance. However, there can be no assurance that our insurance carriers will accept liability under these policies, in which event, we would be compelled to pay the expenses of our cyber experts directly, which would increase our costs and have a material adverse effect on our future financial performance. As the investigation of the incident is ongoing, the full scope, nature and ultimate impact of the incident are not yet completely known. We have no current evidence that any personally identifiable information of any employees, customers, suppliers or vendors has been compromised, but our analysis and review of the potential compromised systems and data is continuing. Governance Our Board is engaged in the oversight of cybersecurity threat risk management. Additionally, the Audit Committee regularly receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Financial Officer. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Management is responsible for developing cybersecurity programs. Our expertise in IT and cybersecurity generally has been gained from a combination of education, best practices and prior experience. They are informed by their respective cybersecurity teams about, and monitor, the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above. As evidenced by the cybersecurity incident described above, no combination of defensive measures are infallible. However, we are confident that we have established robust and reasonable measures and defenses consistent with industry standards and our Company's operations and use of internet-related systems. While this landscape is continually changing, we attempt to be knowledgeable and flexible with regard to the protection of our data and that of our partners. 15

Company Information