RELIANCE, INC. - (RS)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Reliance has implemented processes for assessing, identifying and managing material risks from cybersecurity threats, which are integrated into the Company’s overall enterprise risk management systems and processes. The Company’s cybersecurity risk program is largely based on the U.S. National Institute for Standards and Technology (“NIST”) cybersecurity framework and other applicable industry frameworks. The Company regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and containment. The Company has also engaged third parties in connection with the assessment and advancement of its cybersecurity risk management processes. We undertake regular vulnerability scanning, periodic penetration testing and maturity assessments with the support of third parties; vulnerabilities are subsequently addressed based on risk/benefit analyses.

To support our preparedness, we have constituted a Cybersecurity Review Committee (“CRC”) and adopted a written cybersecurity incident response plan (“CIRP”). In the event of a cybersecurity incident, our CRC refers to our CIRP and existing management internal controls processes. Pursuant to these prescribed processes, designated personnel are

22

responsible for assessing the severity of the incident and any associated threats, containing and resolving the incident as quickly as possible, managing any damage to the Company’s systems and networks, minimizing the impact on the Company’s stakeholders, analyzing and executing upon reporting obligations, escalating information about the incident to senior management and potentially representatives from the Board, as appropriate, and performing post-incident analysis and program enhancements, as needed. We perform tabletop exercises to test our incident response procedures, identify cybersecurity gaps and vulnerabilities and improvement opportunities and exercise team preparedness.

Reliance mandates regular cybersecurity training for employees and applicable contractors and considers this a critical step in safeguarding the Company’s data and assets. The training is designed to provide employees and contractors with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. The course includes enhancements to strengthen our defensive stance against the increasing number and sophistication of cyberattacks worldwide and also includes interactive modules covering various cyberattack methodologies, including insider attacks, phishing and other email attacks, malware attacks, data protection, data handling, password protections, cloud and internet security and cybersecurity fundamentals for mobile devices. We take a risk-based approach with respect to our use and oversight of third-party service providers, using a number of means to assess cyber risks related to our third-party service providers, including vendor questionnaires, conducting due diligence in connection with onboarding new vendors, and negotiating for cybersecurity-related terms in vendor agreements as appropriate. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available.

Cybersecurity Risks

Like other complex corporations, Reliance is the target of cyber-attacks from time to time. However, since January 1, 2021 (the first date covered by the financial statements presented in this Form 10-K) we have not experienced any cybersecurity incident that has materially affected or is reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional information about risks related to cybersecurity, please see the risk factor set forth under the caption Item 1A. “Risk Factors" the Risk Factor captioned “We rely on information management systems and any damage, interruption or compromise of our information technology management systems, networks or data could disrupt and harm our business.”

Governance

Roles and Responsibilities

Cybersecurity is an important element of our risk management processes and an area of particular focus for Reliance’s Board of Directors and management. The Company’s Sr. Director, Information Security (“ISD”) serves as single point of communication and coordination for protecting the Company and its digital information. The ISD performs an initial assessment of each reported cyber incident and escalates all non-trivial cybersecurity incidents and risks to the CRC. The CRC is primarily responsible for assessing and managing material risks from cybersecurity threats and is comprised of a cross-functional team including the ISD, the Chief Information Officer (“CIO”) as well as senior representatives from the Company’s risk management, finance and legal functions. The ISD has 17 years of cybersecurity experience, including 6 years with Reliance. The ISD maintains industry recognized credentials relevant to his role.

The Board, acting through its committee structure, is responsible for overseeing management’s implementation and execution of the enterprise risk management processes and for coordinating the outcome of reviews by Committees in their respective risk areas. Although each Committee is responsible for overseeing the management of certain risks, the full Board is regularly informed by the Committees about these risks. This helps enable the Board and the Committees to coordinate risk oversight and the relationships among the various risks faced by the Company, including cybersecurity risk. Directors with experience overseeing and managing risk management processes play a critical role in the Board’s oversight of our enterprise risk management processes.

The full Board has designated the Audit Committee to be responsible for oversight of cybersecurity risk. The Audit Committee receives regular reports from the CIO and the ISD that may discuss topics such as prior assessments, cybersecurity trends, prior cybersecurity events, and planned enhancements. In addition, the Audit Committee also receives

23

regular periodic reports regarding information technology general controls in connection with its oversight of internal control over financial reporting. The Chair of the Audit Committee regularly briefs the full Board on these matters.