RELIANCE, INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

RELIANCE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:20:04 EST.

Filings

10-K filed on 2026-02-26

RELIANCE, INC. filed a 10-K at 2026-02-26 17:20:04 EST
Accession Number: 0001104659-26-020651

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Reliance has implemented processes for assessing, identifying and managing material risks from cybersecurity threats, which are integrated into the Company's overall enterprise risk management systems and processes. In response to this evolving cybersecurity threat landscape, we have implemented a cybersecurity risk management program that follows a comprehensive, multi-layered approach to securing our data and business systems from attack, compromise or loss, guided by the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. The Company regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and containment. The Company has also engaged third parties in connection with the assessment and advancement of its cybersecurity risk management processes. We undertake regular vulnerability scanning, periodic penetration testing and maturity assessments with the support of third parties; vulnerabilities are subsequently addressed based on risk/benefit analyses. To support our preparedness, we have constituted a Cybersecurity Review Committee ("CRC") and adopted a written incident response plan ("IRP"). The CRC is comprised of cross-functional personnel including 2025 Form 10-K / Reliance's Chief Information Officer ("CIO"), Chief Financial Officer ("CFO"), General Counsel, the Chief Information Security Officer ("CISO"), and Vice President, Enterprise Risk. In the event of a cybersecurity incident, our CRC refers to our IRP and existing management internal controls processes. Pursuant to these prescribed processes, designated personnel are responsible for assessing the severity of the incident and any associated threats, containing and resolving the incident as quickly as possible, managing any damage to the Company's systems and networks, minimizing the impact on the Company's stakeholders, analyzing and executing upon reporting obligations, escalating information about the incident to senior management and potentially representatives from the Board, as appropriate, and performing post-incident analysis and program enhancements, as needed. We perform tabletop exercises to test our incident response procedures, identify cybersecurity gaps and vulnerabilities and improvement opportunities and exercise team preparedness. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity incidents that impact our systems, networks, and technology. Reliance mandates regular cybersecurity training for employees and applicable contractors designed to provide employees and contractors with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. The training covers various cyberattack methodologies, including insider attacks, phishing and other forms of social engineering, and other email attacks, malware attacks, data protection, data handling, password protections, cloud and internet security and cybersecurity fundamentals for mobile devices. We take a risk-based approach with respect to our use and oversight of third-party service providers , using a number of means to assess cyber risks related to our third-party service providers, including vendor questionnaires, conducting due diligence in connection with onboarding new vendors, and negotiating cybersecurity terms in vendor agreements as appropriate. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available. Cybersecurity Risks Like other complex corporations, Reliance is the target of cyber-attacks from time to time, which have to date been immaterial individually and in the aggregate to our business strategy, results of operations and financial condition. We are not currently aware of any cybersecurity incidents, including third-party incidents, or cybersecurity threats that have materially affected or are reasonably likely to materially affect Reliance, including our business strategy, results of operations, or financial condition in the past three years. For additional information about risks related to cybersecurity, please see the risk factor set forth under the caption Item 1A. "Risk Factors" captioned " We rely on information management systems and any damage, interruption or compromise of our information technology management systems, networks or data could disrupt and harm our business." Governance Roles and Responsibilities Cybersecurity is an important element of our risk management processes and an area of particular focus for Reliance's Board of Directors and management. To more effectively prevent, detect and respond to information security threats, we have a dedicated CISO who manages a team that is responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes. The Company's CISO serves as single point of communication and coordination for protecting the Company and its digital information . The CISO performs an initial assessment of each reported cyber incident and escalates all non-trivial cybersecurity incidents and risks to the CIO and CRC . The CRC is primarily responsible for assessing and managing material risks from cybersecurity threats and is comprised of a cross-functional team including the CIO, as well as senior representatives from the Company's risk management, finance and legal functions. The CIO has over 15 years of experience in managing cybersecurity . Our CISO has over 25 24 / 2025 Form 10-K Table of Contents years of technology experience, including over 11 years of experience serving in senior management cybersecurity positions. She has been in this role with Reliance since 2025 and reports to our CIO. The Board, acting through its committee structure, is responsible for overseeing management's implementation and execution of the enterprise risk management processes and for coordinating the outcome of reviews by Committees in their respective risk areas. Although each Committee is responsible for overseeing the management of certain risks, the Board is regularly informed by the Committees about these risks. This enables the Board and the Committees to coordinate risk oversight and the relationships among the various risks faced by the Company, including cybersecurity risk. Directors with experience overseeing and managing risk management processes play a critical role in the Board's oversight of our enterprise risk management processes. The Board has designated the Audit Committee to be responsible for oversight of cybersecurity risk. The Audit Committee receives reports from the CRC, the CIO and the CISO that may discuss topics such as prior assessments, cybersecurity trends, cybersecurity events, and planned enhancements. In addition, the Audit Committee receives regular periodic reports regarding information technology general controls in connection with its oversight of internal control over financial reporting. The Chair of the Audit Committee briefs the Board on these matters on a quarterly basis .

Company Information