VALMONT INDUSTRIES INC 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 24, 2026

VALMONT INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 18:27:35 EST.

Filings

10-K filed on 2026-02-23

VALMONT INDUSTRIES INC filed a 10-K at 2026-02-23 18:27:35 EST
Accession Number: 0000102729-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C of this report. While these measures are designed to prevent, detect, respond to, and mitigate unauthorized activity, there is no guarantee they will be sufficient to prevent or mitigate the risks of a cyberattack-whether directly targeting our systems or through third-party service providers-or to enable us to detect, report, or respond in a timely and effective manner. Successful cyberattacks or other security incidents could result in the loss of key innovations, such as artificial intelligence or Internet of Things technologies; loss of access to critical data or systems through ransomware, crypto mining, or destructive attacks; and business delays or service disruptions. These incidents could lead to legal risks, fines, penalties, negative publicity, theft, modification or destruction of proprietary information, defective products, production downtimes, and operational disruptions. All of these could harm our reputation and competitiveness, and materially affect our business strategy, results of operations, or financial condition. Regulatory and business developments regarding climate change could adversely impact our operations and demand for our products. Regulatory and business developments related to climate change could adversely affect our operations and the demand for our products. We closely monitor scientific discussions and legislative developments regarding climate change, including proposed regulations, to assess their potential impact on our business. Ongoing debates about the presence and scope of climate change, along with increasing legislative and regulatory attention, are likely to continue. Our production processes and the market for our products are influenced by such laws and regulations. Compliance with these measures may result in higher costs for raw materials and transportation. Non-compliance could damage our reputation and further expose our operations and customers to significant risks. Climate change also presents physical risks, such as the increased frequency of severe weather events and rising sea levels, which could disrupt operations at our manufacturing facilities. These events may cause unforeseen disruptions of systems, equipment, or overall operations. Additionally, we are facing rising insurance premiums and costs, including for property, casualty, and business interruption insurance. This trend is partly driven by the growing frequency and severity of extreme weather events such as hurricanes, floods, wildfires, and other natural disasters. Insurers have responded by tightening underwriting standards, reducing coverage limits, and increasing premium rates, particularly for businesses with geographically diverse and asset-intensive operations like ours. Any reduction in insurance coverage limits or the introduction of policy exclusions increases our financial exposure to losses associated with casualty events, including extreme weather occurrences. Challenges in managing manufacturing capacity and responding to demand volatility could adversely affect our business. Producing large engineered structures for Infrastructure customers requires significant machinery and often necessitates operating our manufacturing facilities at or near full capacity to achieve optimal utilization. As a result, if demand for specific structure types in the Utility or Infrastructure markets changes unexpectedly, our ability to adjust manufacturing capacity in the near term may be limited. Establishing new manufacturing capacity or expanding, reconfiguring, or restarting existing capacity involves significant vendor lead times, capital investments, and, in certain cases, customer approvals. These decisions are often made well in advance of firm customer orders and based on forecasts that may not ultimately reflect actual demand. If actual demand does not develop as anticipated, or declines after we have expanded capacity or increased our fixed cost structure, our manufacturing facilities may operate below optimal utilization, which could result in higher per-unit manufacturing costs, elevated inventory levels, reduced margins, asset impairments, restructuring charges, or lower profitability. Conversely, if actual demand exceeds our forecasts, we may be required to extend customer lead times or may be unable to satisfy customer demand, which could lead to customer dissatisfaction, the loss of market share to competitors, increased overtime and expediting costs, and reputational harm. In addition, efforts to expand, modify, or rapidly ramp manufacturing capacity can increase operational complexity and elevate safety risks for our employees and contractors. Such activities may involve the installation of new equipment, changes to manufacturing processes, compressed production timelines, or the use of temporary or less-experienced labor. Workplace accidents, safety incidents, or regulatory actions arising from these conditions could disrupt operations, delay production, result in litigation or regulatory scrutiny, increase insurance or self-insurance costs, and adversely affect our reputation and financial performance. Although we maintain insurance coverage and safety programs designed to mitigate these risks, such measures may not be sufficient to prevent or fully offset the impact of all incidents or liabilities. If we are unable to effectively manage manufacturing capacity, respond to changes in demand, or safely execute capacity expansions and production ramp-ups, our business, financial condition, operating results, and reputation could be adversely affected. If our internal control over financial reporting is found to be ineffective, our operating results could be adversely affected. Our internal control over financial reporting is subject to inherent limitations, including human error, the circumvention or override of controls, and fraud. Even effective internal controls can provide only reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles. The complexity of our business, including diversified product lines across multiple jurisdictions, the use of multiple enterprise resource planning systems, and complex revenue recognition requirements, further increases the challenge of maintaining effective internal controls. If we fail to maintain our internal control over financial reporting, or if we experience deficiencies or delays in implementing necessary improvements, it could have a negative impact on our operating results and damage our reputation. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy Our information security program covers a wide range of cybersecurity activities, with the primary objective of maintaining the confidentiality, integrity, and availability of information for both our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan, which is regularly exercised through tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessments integrated with technology acquisition processes , and the utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring. We measure our security performance using the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organizational data and operational processes. Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards, taking into account both the risks and benefits of privacy-driven spending. The program's operating model is based on the General Data Protection Regulation, adjusted to meet specific local requirements. This scalable model manages strategic, operational, legal, compliance, and financial risks and benefits, and utilizes technology to automate portions of the program, such as data subject access requests and consent and preference management. Our membership in the Data Privacy Board, a group comprised of some of the world's largest companies with the mission of engaging in confidential, leader-level discussions, offers opportunities for unbiased benchmarking and support from peers across various industries. We continue to build privacy resilience across international operating environments. We collaborate with third-party vendors to enhance our processes against unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and cybersecurity strategy. Successful cyberattacks or other security incidents could result in the loss of key innovations, such as artificial intelligence or Internet of Things technologies; loss of access to critical data or systems through ransomware, crypto mining, or destructive attacks; and business delays or service disruptions. See "Our operations could be adversely affected if our information technology systems and networks are compromised or subjected to cyberattacks" under Risk Factors in Part I, Item 1A of this report, which we incorporate here by reference. To date, we have not identified any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. Governance The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight of operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee . Our Chief Information Officer has extensive experience implementing and managing cybersecurity policies, including overseeing investments in tools, resources, and processes that enables the continued maturity of our cybersecurity program. Team members supporting our information security program possess relevant educational backgrounds and industry experience. Our Chief Executive Officer, Chief Financial Officer, and Audit Committee receive regular reports from our Chief Information Officer on the Company's risk and compliance with cybersecurity matters, including data privacy, incidents, industry trends, and the prevention, detection, mitigation, and remediation of cyber incidents.
ITEM 1C. CYBERSECURITY Risk Management and Strategy Our information security program covers a wide range of cybersecurity activities, with the primary objective of maintaining the confidentiality, integrity, and availability of information for both our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan, which is regularly exercised through tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessments integrated with technology acquisition processes , and the utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring. We measure our security performance using the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organizational data and operational processes. Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards, taking into account both the risks and benefits of privacy-driven spending. The program's operating model is based on the General Data Protection Regulation, adjusted to meet specific local requirements. This scalable model manages strategic, operational, legal, compliance, and financial risks and benefits, and utilizes technology to automate portions of the program, such as data subject access requests and consent and preference management. Our membership in the Data Privacy Board, a group comprised of some of the world's largest companies with the mission of engaging in confidential, leader-level discussions, offers opportunities for unbiased benchmarking and support from peers across various industries. We continue to build privacy resilience across international operating environments. We collaborate with third-party vendors to enhance our processes against unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and cybersecurity strategy. Successful cyberattacks or other security incidents could result in the loss of key innovations, such as artificial intelligence or Internet of Things technologies; loss of access to critical data or systems through ransomware, crypto mining, or destructive attacks; and business delays or service disruptions. See "Our operations could be adversely affected if our information technology systems and networks are compromised or subjected to cyberattacks" under Risk Factors in Part I, Item 1A of this report, which we incorporate here by reference. To date, we have not identified any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. Governance The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight of operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee . Our Chief Information Officer has extensive experience implementing and managing cybersecurity policies, including overseeing investments in tools, resources, and processes that enables the continued maturity of our cybersecurity program. Team members supporting our information security program possess relevant educational backgrounds and industry experience. Our Chief Executive Officer, Chief Financial Officer, and Audit Committee receive regular reports from our Chief Information Officer on the Company's risk and compliance with cybersecurity matters, including data privacy, incidents, industry trends, and the prevention, detection, mitigation, and remediation of cyber incidents.

Company Information