UFP INDUSTRIES INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

UFP INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 13:57:22 EST.

Filings

10-K filed on 2026-02-25

UFP INDUSTRIES INC filed a 10-K at 2026-02-25 13:57:22 EST
Accession Number: 0001104659-26-019567

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy. We recognize the importance of managing cybersecurity risks to protect our business operations, assets, data, and stakeholders. This is achieved through implementation of an enterprise-wide security risk management program, risk-based approach to cybersecurity program management, and an internal security control framework. We employ a structured approach to frame, assess, treat and monitor risks to determine if such risks are material. Material cybersecurity risks are identified, assessed and managed in several ways. Cybersecurity risk management processes are embedded in our enterprise-level activities, business processes as well as day-to-day operations. This includes but is not limited to: ● Program foundations and standards. We established information security, cybersecurity and risk management frameworks that serve as the foundation for our cybersecurity program, which aligns with internationally recognized frameworks, including the NIST CSF and ISO 27001, as well as risk management guidelines such as NIST SP 800-37 (RMF) and ISO 27005. These frameworks have been adapted to include the assessment and management of risks associated with emerging technologies, including artificial intelligence (AI). Additional security and privacy controls are selected, implemented, assessed and monitored for organizational systems and processes that access, process, transfer or store data categorized to fall under regulatory requirements. ● Integration with enterprise risk management (ERM). Cybersecurity risk management is an integral component of our ERM program, ensuring that cybersecurity risks are aggregated and compared against other enterprise-level risks to inform strategic decision-making. ● Risk management process. Our strategic and operational risk management approach begins with risk framing activities to align the enterprise-wide cybersecurity strategy with day-to-day operations. Cybersecurity risks are identified, analyzed, evaluated, communicated, and prioritized across the organization through a comprehensive assessment. Risk responses are then managed to reflect our established risk appetite, tolerance, and thresholds. Ongoing monitoring of risk factors, treatment effectiveness, and compliance changes are performed to maintain continuous oversight and monitoring of acceptable risk levels consistent with our governance model. ● Threat monitoring, detection and response. Our dedicated Cybersecurity Incident Response Team (CSIRT) in conjunction with our Security Operations Center (SOC) monitors threats and vulnerabilities, investigates potential incidents, and coordinates response and remediation. Our Incident Response Plan is maintained and tested to verify completeness and effectiveness of its preparation, detection and analysis, containment, eradication and recovery, as well as post-incident review stages. Incidents are risk-ranked, prioritized and escalated according to defined thresholds to members of the Incident Response Team, including executive leadership, when warranted, consisting of our CIO, our Director of Cybersecurity, and other members of the executive team to facilitate timely assessment of potential materiality and coordination of required disclosures. ● Security controls and layered defense. As part of our defense in depth strategy, we operate multiple layers of frontline controls spanning network security, endpoint protection, identity and access management (including privileged access management) along with data protection and encryption safeguards. In addition to these technical frontline controls, we maintain a secondary layer of defense consisting of internal control owners and functional managers who perform regular self-assessments and monitoring of control effectiveness. This dual-layered approach is further validated by periodic independent testing and internal audits. These preventive layers are reinforced by comprehensive logging, detection, and response capabilities, ensuring that threats are identified and contained even if one control layer is bypassed. This layered approach strengthens our overall security posture by creating overlapping defenses that collectively reduce risk and improve resilience across the enterprise. ● Testing, exercises, and continuous improvement. We conduct tabletop exercises for our incident response and disaster recovery activities and perform internal and external vulnerability assessments as well as penetration testing. Lessons learned from these activities are analyzed and integrated into our policies, governance, and technology through a risk-managed approach. ● Training and awareness. Mandatory, periodic security and privacy training is provided to all employees during their onboarding and employment with our organization. This training is supplemented with phishing simulations and awareness activities on an ongoing basis. ● Use of external parties. We engage external assessors, consultants, independent auditors and, as needed, outside counsel, to evaluate aspects of our cybersecurity program, controls and overall posture. This is achieved through control audits as well as testing, exercises, and continuous improvement activities. ● Supply chain security. We monitor third party service providers and suppliers through risk-based onboarding and periodic assessments. Beyond initial and periodic evaluations, we actively monitor security events and threat intelligence related to our significant third-party providers to identify potential "downstream" incidents that could impact our systems or data. Additionally, we maintain security-focused contractual requirements and conduct risk-based continuous vendor monitoring (including targeted cybersecurity assessment correlated to vendor risk level). As of the date of this report, we have not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. While we have not identified any such material risks to date, we recognize that the threat landscape is constantly evolving. We remain committed to our structured approach to identifying and managing these risks as a core component of our business resilience strategy. Governance. Management's Role . Primary responsibility for risk management, including cybersecurity risks, lies with management. Our management team actively assesses and manages material cybersecurity risks through a structured framework. The CIO and Director of Cybersecurity lead our efforts in managing these risks: ● CIO . With over 20 years of experience in the information technology space, our CIO brings expertise and strategic insight to cybersecurity, compliance, enterprise architecture, systems resilience, and digital transformation. ● Director of Cybersecurity . With over 30 years of experience in information technology, including systems architecture and management, our Director of Cybersecurity holds the Certified Information Security Manager (CISM) designation. This expertise supports the Director's responsibility for day-to-day cybersecurity operations, the alignment of security strategies with business objectives, and the management of our information security risk framework. The Director reports directly to the CIO and leads the cross-functional team in identifying and mitigating material risks. Our cross-functional cybersecurity team, composed of experts with decades of combined experience, supports the CIO and Director in implementing our cybersecurity program. This team consults with legal, HR, and IT specialists to assess the materiality of cybersecurity risks and incidents, using a well-established Incident Response Plan that includes clear escalation measures. Board of Directors Oversight . The role of the Board of Directors with respect to our cybersecurity program is one of oversight of management, and the Board has delegated primary oversight authority over the program to the Audit Committee. The Audit Committee oversees these risks as outlined in its Charter, which mandates reviewing the company's information technology framework, practices, and implemented controls to monitor and mitigate IT risks. The Audit Committee meets quarterly and receives reports and briefings from the CIO, Director of Cybersecurity, and the cybersecurity team on emerging threats, risk status, and mitigation strategies. The Committee engages with the cybersecurity team to increase their understanding of the specific issues facing the Company and to challenge the team as appropriate. The Committee also may consult external cybersecurity experts as needed to fulfill its oversight role. The Audit Committee regularly reports to the Board on matters addressed during the Committee's quarterly meetings, including any material cybersecurity risks or developments.

Company Information