PATRICK INDUSTRIES INC - (PATK)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity is critical to Patrick’s ability to drive its vision and operational initiatives. Patrick faces a range of cybersecurity threats including attacks common to most industries, such as ransomware and denial-of-service, and attacks from more advanced and persistent, highly organized adversaries. Our customers, suppliers, consultants and subcontractors face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats and related risks make it imperative that we remain vigilant and apprised of developments in the information security field, and we expend considerable resources on cybersecurity.
The Board of Directors oversees Management’s processes for identifying and mitigating risks, including cybersecurity risks, and to support alignment of our risk exposure with our strategic objectives. Senior leadership, including our Vice President – IT Operations and Chief Information Security Officer (CISO), regularly briefs the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. In the event of an incident, we intend to follow our incident response protocol, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board of Directors, as appropriate.
Our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The corporate information security organization manages the Company's enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this organization is our carefully selected combination of security tools that concentrate on both perimeter and internal environments. These solutions are responsible for the protection, detection and response capabilities used in the defense of Patrick’s data and enterprise computing networks. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses, which we believe improves our cybersecurity program.
The corporate information security organization has implemented a governance structure and process to assess, identify, manage and report cybersecurity risks. We also have a corporate-wide counterintelligence and insider threat detection program to proactively identify external and internal threats, and mitigate those threats in a timely manner. In addition to developing and implementing pre-existing third party frameworks, we have implemented our own practices and customized controls tailored to the Patrick enterprise environment. We believe this approach enhances our defense in depth stance while increasing our ability to identify, contain and manage cybersecurity risks.
Third parties also play a role in our cybersecurity program initiatives. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls.
Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management process. Cybersecurity related risks are included in the risk universe that the enterprise risk management function evaluates to assess the top risks to the enterprise on an annual basis. To the extent the enterprise risk management process identifies a heightened cybersecurity related risk, "risk owners" are assigned to develop risk mitigation plans, which are then tracked to completion. The process’s annual risk assessment is presented to the Board of Directors.
We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or third-party partner could materially adversely impact us.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us, but we do ensure all proper cybersecurity protocol and due diligence is applied across the organization. While Patrick maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
25