UNITED STATES LIME & MINERALS INC - (USLM)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy. We have designed and implemented processes to assess, identify, manage, detect, and respond to material cybersecurity risks and threats to our IT systems, including the prevention, detection, mitigation, and remediation of cybersecurity incidents in order to protect the confidentiality, integrity, and availability of our IT systems and the information residing on those systems. These processes are part of our overall risk management process and are embedded in our operating policies, procedures, and controls.

To protect our IT systems and information from cybersecurity risks, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified cybersecurity vulnerabilities and incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring, and detection tools. We also utilize a third-party security operations center connected to a networks operation center to identify, investigate, and resolve any cybersecurity threats and incidents.

We regularly assess technological risks to our IT systems and information and monitor our IT systems for potential vulnerabilities and risks. We frequently conduct mandatory cybersecurity and IT systems awareness training for all employees with access to our systems. We also conduct regular reviews and tests of our IT cybersecurity processes, including reviews, assessments, and exercises.

We aim to incorporate responsible practices throughout our cybersecurity risk management processes. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks to our IT systems and information. As a part of this process, we engage independent third-party specialists to review our cybersecurity environment, including formal reviews and assessments, and we request specific, actionable recommendations for improvement.

21

While we have not, as of the date of this Report on Form 10-K, experienced a cybersecurity threat or incident that has materially impacted our business or operations, there can be no guarantee that we will not experience such a threat or incident in the future. A material cybersecurity threat or incident could adversely impact our mining and manufacturing operations, our sales or financial and administrative functions, or result in the compromise of personal or other confidential information of our employees, customers, or suppliers. For this reason, we maintain cybersecurity liability insurance to provide additional support, expertise, and resources to help ensure the integrity of our cybersecurity processes through regular reviews and assessments, to provide incident response assistance and expertise, and to provide a level of financial protection in the event of cybersecurity incident related costs and losses. See "Risk Factors - We may be adversely affected by any disruption in, or failure of, our information technology systems, including due to cybersecurity risks and incidents.”

Governance. Our Manager of Information Technology (“MIT”) is responsible for our IT cybersecurity policies, procedures, and controls and reports to our Chief Financial Officer (“CFO”). Our MIT has a Bachelor of Business Administration degree in management information systems and has over 20 years of relevant experience in the IT field. Team members also include third-party service providers who have relevant education and experience in cybersecurity.

Our CFO is informed about and facilitates prevention, detection, mitigation, and remediation efforts through regular communication and reporting from the professionals on our cybersecurity team. In addition, we have an escalation process in place to inform our Chief Executive Officer and other members of our senior management and, if necessary, the Audit Committee and Board of Directors, of important issues or events.

Our Audit Committee has oversight of our cybersecurity risk processes, as part of its overall oversight of our risk management program. Our CFO and MIT regularly report to and review our cybersecurity processes with the Audit Committee, with formal cybersecurity reviews with the Committee generally occurring at least annually, and sometimes more frequently, as appropriate.