MASONITE INTERNATIONAL CORP - (DOOR)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
As required by Item 106 of Regulation S-K, the following sets forth certain information regarding our cybersecurity governance, strategy and risk management.
Cybersecurity Governance
Our Board of Directors has ultimate oversight of the Company’s privacy and cybersecurity programs and strategy, with each of the Board of Directors' Sustainability and Governance Committee and Audit Committee maintaining oversight responsibility for different elements of these programs. The Sustainability and Governance Committee and Audit Committee inform the full Board of Directors of any cybersecurity learnings or risks that were discussed at the committee level.
The Sustainability and Governance Committee oversees the Company’s strategies and processes related to information security and technology risks, including cybersecurity. The Company’s Chief Information Security Officer (“CISO”), and the Company’s Chief Information Officer present a quarterly cybersecurity report to the Sustainability and Governance Committee and, at times, to the full Board of Directors. The reports include detailed updates on the Company’s cybersecurity risks and threats, the status of projects to strengthen the Company’s information security systems, internal and third-party assessments of the Company’s cybersecurity program maturity against the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, incident preparedness and the current cybersecurity environment, including current trends or recent noteworthy incidents affecting other companies. The Company has created a cybersecurity incident response plan that requires management, including the Company’s CISO, to take certain mitigating actions including notification to the Company’s Disclosure Committee, upon the occurrence of certain types of incidents that may be material or pose significant risk to the Company, for management. The incident response plan also contains procedures requiring, upon the determination by management that the cybersecurity incident is material, notification to the Board of Directors’ Sustainability and Governance Committee and Audit Committee.
To assist the Company in assessing, preventing, identifying, mitigating and responding to material risks resulting from cybersecurity threats, the Company has developed a comprehensive cybersecurity risk management program led by our CISO. Our CISO is a Certified Information Systems Security Professional by the International Information System Security Certification Consortium who joined the Company in March 2018 after spending 15 years with other organizations as a cybersecurity and information technology (“IT”) professional. Our CISO leads our management-level IT Risk Management Committee composed of IT functional leaders that meet quarterly to review the trending cybersecurity environment, risks and threats to the Company, the progress of cybersecurity mitigation and remediation projects and overall progress against the Company’s cybersecurity strategy. The Company’s senior IT leadership shares progress, findings or concerns reported by the IT Risk Management Committee with senior management to assess the impact of cybersecurity risks and threats to the Company, to assist with driving overall operational awareness, ownership and alignment broadly across the Company for a more effective cybersecurity risk management program.
Cybersecurity Strategy and Risk Management
25


The Company’s enterprise-wide cybersecurity strategy is advanced and reinforced by policies, processes, procedures, standards, technologies and training designed to protect the Company’s IT systems, operations and sensitive business data. The Company has deployed a multiple-layer defensive model, which includes a variety of detective and protective technologies and measures to monitor and protect our critical IT systems, which include among others, intrusion detection and protection, email security, endpoint security, 24/7 third party security monitoring and proactive security testing.
The Company evaluates new and existing third-party service providers and suppliers through a risk assessment that includes interviews and questionnaires to assess their cybersecurity capabilities, process maturity, compliance attestations and the overall technology relationship risk. Each third-party risk assessment is conducted during the contract negotiation process, during certain contract milestones and at other periodic intervals. The final risk assessments and reports are shared with internal teams and IT leadership to assist with ongoing risk mitigation actions. The Company’s cybersecurity defense strategy is regularly tested through internal and third-party penetration testing. Additionally, the Company’s cybersecurity program maturity and risk profile is regularly analyzed and measured internally against generally accepted industry standards and frameworks, including the NIST Cyber Security Framework, the FAIR model and external third-party maturity assessments.
To strengthen the Company’s cybersecurity readiness, the Company has developed a cybersecurity incident response policy and a cybersecurity incident response plan in partnership with various internal department functions and third-party IT consultants. Our cybersecurity incident response plan is based on the NIST incident response lifecycle and co-led by our CISO and director of information security. Our cybersecurity incident response plan has a designated incident response team composed of management members from select departments who each play a role within the four phases of the plan that include preparation, detection analysis, containment, eradication, recovery and post-incident activity. Each phase provides a detailed list of actions and responsibilities for each department to assist in responding to a cybersecurity incident. In the event of a cybersecurity incident, as provided in our cybersecurity incident response plan, a root-cause analysis will be conducted and based on the findings, certain new or improved processes and procedures may be implemented to continually improve the security of our IT systems and confidential data. Additionally, the Company’s incident response team conducts an annual table-top exercise, utilizing the cybersecurity incident response plan and makes improvements on the response plan based on new learnings. Senior management and Board-level table-top exercises have also been conducted to further prepare and support the Company with responding to and mitigating the effects of a cybersecurity incident. The Company has further implemented a business continuity and disaster recovery plan where critical systems are backed-up daily and incrementally and stored in an encrypted format in multiple secure locations.
As of the date of this report, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. That said, as discussed more fully under Part I, Item 1A. “Risk Factors – Risks Related to our Operations”, these potential threats pose a risk to the security of our systems and networks and the confidentiality, availability and integrity of our data. Cybersecurity attacks could also include attacks targeting customer data or the security, integrity and/or reliability of the hardware and software installed in our products. It is possible that our information technology systems and networks, or those managed or provided by third parties, could have vulnerabilities, which could go unnoticed for a period of time. While various procedures and controls have been and are being utilized to mitigate such risks, there can be no guarantee that the actions and controls we have implemented and are implementing, or which we cause or have caused third-party service providers to implement, will be sufficient to protect and mitigate associated risks to our systems, information or other property.