TopBuild Corp 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

TopBuild Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:07:06 EST.

Filings

10-K filed on 2026-02-26

TopBuild Corp filed a 10-K at 2026-02-26 16:07:06 EST
Accession Number: 0001104659-26-020481

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBER RISK MANAGEMENT, STRATEGY AND GOVERNANCE Cyber Risk Management Program We recognize the importance of maintaining the integrity of our information technology systems and safeguarding the confidential business and personal information we receive and store about our employees, customers and suppliers. We have a cyber risk management program in place to identify, assess, and manage risks from cyber threats. Our cyber risk management program is structured to implement industry best practices throughout our operations and functions, including threat monitoring and analysis, vulnerability assessments, and management of third-party cyber risks. The program also encompasses detection and response to cyberattacks and data breaches, crisis preparedness, incident response planning, business continuity and disaster recovery, as well as ongoing investments in cybersecurity infrastructure and program enhancements. Among the key features of our program are: - Ongoing engagement of consultants, advisors, service providers, and other third parties to help test, develop, and advise on the management of our cyber risk program; - Periodic independent, third-party reviews of our program and its maturity based on the National Institute of Standards and Technology (NIST) cybersecurity framework; - Strategic engagements of consulting firms and legal advisors to advise the Board and our executive officers regarding the structure and oversight of our cyber risk management program, cyber strategy framework evolution, risk-based assessments, and cyber technology; - Consulting with external advisors and specialists on specific projects regarding opportunities and enhancements to strengthen our cyber practices and policies on an as needed basis; - Periodic review of SOC1 and SOC2 external audit reports submitted by our strategic third-party technology suppliers; - Ongoing cybersecurity training for employees coupled with periodic vulnerability testing; and - Periodic testing of incident response procedures. Our cyber risk management program includes technology and processes designed to maintain active security of our information technology systems. We have not experienced a material cyber breach in the last three years. We do not believe that any risks from cyber threats of which we are currently aware, including as a result of any previous cyber incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cyber incident in the future that will materially affect us . For additional information regarding the risks to the Company associated with cyber incidents, see "In the event of a cyber incident, we could experience operational interruptions, incur substantial additional costs, become subject to legal or regulatory proceedings or suffer damage to our reputation," included in Part I, Item 1A (Risk Factors) of this Annual Report. To help identify and manage cyber risks associated with our use of third-party service providers , we have implemented processes to assess third-party systems which could be compromised in a manner that adversely impacts the Company and our technology systems. In this regard, we conduct due diligence of significant third-party service providers who have or will have access to our information technology systems and incorporate cybersecurity protections in our engagement contracts with such providers. In addition, we require such third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations. Further, our external auditor reviews our processes designed to control access to our information technology systems as part of its assessment of our internal controls. Incident Response Procedures We have a cyber incident response plan in place outlining procedures to follow in the event of a cyber incident. Under the plan, we established a cross-functional Cyber Response Team (CRT) with expertise in various subject matter areas responsible for initiating and leading our incident response procedures. The CRT is under the direction of our Chief Information Officer and is comprised of our Senior Director of Cybersecurity, Chief Accounting Officer, Assistant General Counsel and Chief Compliance Officer, Senior Manager of Risk and Insurance, and certain other members of management. The plan provides that our CRT will conduct an impact assessment in the event of a cyber incident that meets pre-established criteria, or which may otherwise impact the operations or finances of the Company. If any such cyber incident is determined by the CRT to have the potential to materially impact the Company, such event would be elevated for further review and assessment by a senior leadership team consisting of our Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, General Counsel and other members of our executive leadership team. Under certain circumstances, such review and assessment would include reporting to and oversight of the Board. Governance Our full Board is responsible for oversight of risks from cyber threats, including our cyber risk management program. In carrying out its oversight responsibilities, the Board receives regular cybersecurity updates and quarterly scorecard assessments from our Senior Director of Cybersecurity, which cover topics related to information security, privacy and cyber risks, and our risk management processes, including the status of any recent cyber events meeting specified criteria, the emerging threat landscape, and the status of capital investments in our information security infrastructure. At a management level, our cyber risk management program is led by our Chief Information Officer , who reports to our Chief Executive Officer. Under our Chief Information Officer 's leadership, the cybersecurity team implements and provides governance and functional oversight for cybersecurity controls and services. The team's credentials include Certified Chief Information Security Officer, Certified Information Security Manager and Certified Information Systems Security Professional. To help identify, assess, and manage risks from cyber threats, we have integrated cyber risk management into our broader, Company-wide enterprise risk management (ERM) evaluation and strategy process, which is led by our executive officers, overseen by the Audit Committee of the Board, and reviewed annually by the full Board. Our ERM process takes a top-down, enterprise view of material risks impacting our Company, including credit, liquidity, strategy, cyber, and operational risks, and is an ongoing process consisting of risk identification, risk rating, analysis and action plans, reporting, and monitoring. Employees responsible for assessing identified risks deliver an update quarterly to our senior leadership team, which consists of our Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Operating Officer, General Counsel, Chief Human Resources Officer, Chief Growth Officer, and Vice President of Supply Chain. Status updates with respect to these risk areas are delivered quarterly by management to the Audit Committee of the Board, and full risk assessment results are presented by management annually to the full Board.

Company Information