TREX CO INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

TREX CO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 08:50:54 EST.

Filings

10-K filed on 2026-02-25

TREX CO INC filed a 10-K at 2026-02-25 08:50:54 EST
Accession Number: 0001193125-26-068732

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Cybersecurity Risk Management The Company has systems and processes for identification, assessment, and management of material risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. The Company's multi-faceted approach includes deploying applications and control activities to actively monitor and mitigate potential threats to the Company's IT environment. These activities include, but are not limited to, engaging an external third-party to monitor information systems security events, conducting annual security training of employees, testing employees via periodic phishing campaigns, conducting system vulnerability scanning, utilizing a patching program to remediate critical patches, and utilizing an external third-party to perform testing to identify gaps in the Company's security program. The Company also performs third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. Additionally, for providers of software-as-a-service and other services that hold Company data, the Company reviews and assesses industry standard certifications such as System and Organization Controls (SOC) 1 or SOC 2 reports and cybersecurity preparedness questionnaires. Mitigation of risk efforts are coordinated by the Company's Director of Information Security, utilizing internal resources and third-party providers. The Company has not had any cybersecurity risks that have materially affected, or are reasonably likely to affect, the Company, including its business strategy, results of operations, or financial condition. Cybersecurity risks are disclosed in Part I Item 1A. Risk Factors, incorporated herein by reference. Cybersecurity Governance Our cybersecurity programs, including the cross-functional management committees responsible for identifying, assessing, and mitigating cybersecurity risks and incidents, are overseen by our Vice President and Chief Information Officer. Day-to-day administration of the cybersecurity programs are led by our Director of Information Security, a direct report to the Vice President and Chief Information Officer. Our Vice President and Chief Information Officer has 28 years of technology leadership experience and a Doctor of Business Administration. Our Director of Information Security has 28 years of experience in infrastructure and security operations and a degree in Information Technology Management. Our Vice President and Chief Information Officer escalates emerging cybersecurity risks and threats, provides updates on the status of projects to strengthen the Company's information security systems, and provides updates on any cybersecurity incidents to members of our senior leadership team, including our Senior Vice President, Chief Financial Officer, Senior Vice President, Chief Legal Officer and Secretary, and Senior Vice President, Chief Human Resources Officer. These leaders facilitate notification to the Audit Committee of the Board of Directors. The Audit Committee of the Board of Directors oversees cybersecurity related risks. Members of the Audit Committee receive the above referenced notifications and updates on a quarterly basis from the Company's Chief Information Officer as the designated representative of the Executive Information Security Oversight Committee . Additionally, the Company has a written Information Security Policy and a Cybersecurity Incident Response Plan that provides the above-referenced processes by which such committees are informed of and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and material risks from cybersecurity threats.

Company Information