STEEL DYNAMICS INC - (STLD)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
We manage risks from cybersecurity threats through our overall companywide risk management process, which is overseen by our Board of Directors and specific Board Committees. Management has created a global information security program, which encompasses a dedicated global information security team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats. Our policies, procedures, and processes follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”), as well as other relevant standards. Our program is designed to maintain the confidentiality, integrity, security, and availability of the data that is created, collected, stored, and used to operate our business.
31
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, utilizing from time to time, tabletop exercises, business unit assessments, threat modeling, impact analyses, internal audits, external audits, third party vulnerability scans, third party penetration tests, and engagement of third parties to conduct analysis of our information security programs, including an overall assessment utilizing the NIST standards. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to team members or customers and violations of data privacy or security laws.
Our Director of Information Security has twenty years of cybersecurity experience, has completed a Masters in Homeland Security, with an emphasis on cybersecurity, and holds several cybersecurity certifications. Our Director of Information Security is responsible for leading the Information Security Team which has established a cybersecurity risk management program of policies and processes for assessing, identifying, and managing risk from cybersecurity threats. We have integrated these processes into our overall risk management systems and processes, and routinely assess risks from cybersecurity threats, including any potential unauthorized access to or activity conducted through our information systems that may result in material adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. This program includes established reasonable safeguards to minimize the identified risks; processes to reasonably address any identified gaps in existing safeguards; updates to existing safeguards as necessary; and monitoring the effectiveness of those safeguards.
Our safeguards include continuous network monitoring, complex passwords, team member training that reinforces our policies, standards and practices, incident response capability reviews and exercises, and cybersecurity insurance and disaster recovery plans for the protection of our assets. The information security training and awareness program engages personnel through training modules on how to identify potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all team members monthly, and is supplemented by companywide testing initiatives, including periodic phishing tests.
Our cybersecurity risk management program also assesses third party providers, such as vendors, suppliers, and other business partners. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third party providers and potential risks when handling and/or processing our employee, business or customer data.
Further, we have designated a member of our senior leadership team, our Chief Financial Officer, to oversee the management of the safeguards, cybersecurity risk assessment and mitigation process. From time to time, the Company’s program is reviewed and validated by internal and external experts.
In general, our incident response process follows the NIST framework and focuses on four phases: (i) preparation; (ii) detection and analysis; (iii) containment, eradication, and recovery; and (iv) post-incident remediation. As cybersecurity incidents occur, including at third party providers, the Director of Information Security leads the Information Security Team through a standardized incident response process that focuses on responding to and containing the threat, minimizing any business impact, and evaluating its severity level. The severity level assessment determines how widespread the incident is and to what degree it could impact our overall business and manufacturing environment. In the event an incident is determined by the Information Security Team to be a high severity level, our cross functional team, with expertise in various disciplines, will assess the incident to determine if it has had a material affect or is reasonably likely of having a material effect on the Company’s business strategy, results of operations or financial condition.
We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. In the last three years, the Company has not experienced any material cybersecurity incidents and we have not incurred material expenses from cybersecurity incidents (including penalties and settlements, of which there were none). For additional discussion of whether and how risks from cybersecurity threats could materially affect or are reasonably likely to materially affect the Company, see Item 1A. Risk Factors – “We are subject to cybersecurity threats and may face risks to the security of our sensitive data and
32
information technology which may adversely affect our business, results of operations, financial condition and cash flows.”
Governance
One of the key functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our Leadership Team is responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole, as well as directly through the Audit Committee. Management and members of the Information Security Group (“ISG”) regularly present to the Board of Directors regarding information security and an in-depth review of our processes for assessing, identifying, and managing material risks from cybersecurity threats. On a quarterly basis, the Audit Committee is informed by management concerning the status of existing and new cybersecurity risks, status of how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status of key information security initiatives. Additionally, on a biennial basis, we engage third parties to assess our information security program, using the NIST framework, as well as penetration testing.
We have allocated substantial cross functional internal resources with expertise in information security, information technology, operations, risk management, human resources, finance, and legal to form a governance counsel known as the ISG. The ISG is an internal working group that collaborates with the Director of Information Security to ensure our cybersecurity program is adequately responsive to the evolving threat landscape. Our Director of Information Security has twenty years of cybersecurity experience, has completed a Masters in Homeland Security, with an emphasis on cybersecurity, and holds several cybersecurity certifications.
33