UFP INDUSTRIES INC - (UFPI)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy.

Risks from Cybersecurity Threats. Information relating to risks from cybersecurity threats is included in this report in Item 1A under the caption “Cybersecurity breaches or a failure in our e-commerce operations and could disrupt our business.”

We manage and oversee a cybersecurity risk program designed to evaluate potential threats, vulnerabilities, and the potential impact on our operations, data, and stakeholders. This program undergoes regular reviews and updates to address emerging risks. Our process for addressing risk aligns with industry standards as outlined in the NIST Cybersecurity Framework, NIST Risk Management Framework, and CIS Top 18 Security Controls.

We utilize a three-step process to effectively manage cybersecurity risks:

Identify We establish an understanding of our critical operational assets and those that could be attractive to potential threat actors. We consider any cyber activity that could diminish an asset’s value, hinder our ability to use or access the asset, or covertly allow a threat actor to gain access to an asset as a potential risk.

Assess We evaluate the exposure of our assets to identified cyber risks and the potential impacts on our operations or reputation if we were unable to access or utilize an asset or realize its value, or if a threat actor gained access to an asset or its value. We also assess the potential materiality of these risks based on their potential impact on our operations or reputation.

10

Manage We apply a multi-layered defense strategy to maintain our ability to access or utilize an asset or its value and prevent threat actors from gaining or increasing their access to an asset or its value. We prioritize our defensive mechanisms, including administrative, procedural, and technical controls, based on their cost-effectiveness and their ability to reduce risk.

Periodically, we engage consultants and other third parties to assist in the continued improvement of our cybersecurity program. These engagements are designed to enhance our cybersecurity posture, and we work closely with these experts to help us identify and address vulnerabilities. Examples of these engagements include penetration testing, risk assessments, and cybersecurity control audits.

We maintain policies and procedures to oversee and identify cybersecurity risks associated with our third-party service providers, especially those with access to customer and employee data. Our selection and oversight of these providers incorporate cybersecurity considerations, including contractual and other mechanisms to mitigate and continually monitor risks.

We undertake proactive activities to prevent, detect, and minimize the impact of cybersecurity incidents. We maintain an incident response plan to respond to breaches and minimize disruption to our operations swiftly. The incident response process is consistently tested and reviewed through simulated incidents. To bolster the incident response process, we have business continuity, contingency, and recovery plans to ensure operational resilience during a cybersecurity incident. Previous cybersecurity incidents guide continuous improvements in our governance, policies, procedures, and technology. We use these lessons to strengthen our cybersecurity defenses.

Cybersecurity threats and risks, to include any previous cybersecurity incidents, have not materially affected, or are not reasonably likely to materially affect, our business strategy, results of operations, or financial condition. We have not, as of the date of this filing, experienced a cybersecurity breach that has materially affected our business or financial condition. However, because our business involves the collection, transmission, and storage of certain customer and employee data, it is possible that we could be susceptible to various cybersecurity threats, including cyberattacks, unauthorized access, and similar events.

We are committed to the ongoing identification and management of cybersecurity risks as part of our business strategy, financial planning, and capital allocation. We strive to incorporate cybersecurity considerations into all aspects of our operations. As the cybersecurity landscape evolves, so does our strategy to identify and mitigate these risks. We continuously work towards enhancing our processes to ensure an effective cybersecurity posture.

Board of Directors and Management Governance.

Board of Directors Oversight. We recognize the critical importance of cybersecurity and data protection and understand the potential harm to our business from cybersecurity incidents. Accordingly, we place a high priority on mitigating risks associated with cybersecurity threats and any cybersecurity incidents.

Company management maintains primary responsibility for the risk management of the Company, including cybersecurity risks. The Board’s Audit Committee is responsible for the oversight of risks associated with cybersecurity threats. The Audit Committee Charter provides that the Committee is responsible for reviewing management’s assessment of the Company’s information technology process framework and practices and the controls implemented to monitor and mitigate information technology risks. In addition, as part of the Audit Committee’s quarterly meetings and as provided for in its Charter, the Committee receives reports and briefings from the Company’s Chief Information Officer (CIO), Director of Cybersecurity, and management’s cybersecurity team. Those reports and briefings include management’s review of emerging cybersecurity developments and threats, the Company’s risk relating to cybersecurity, and the Company’s strategy to mitigate data protection and cybersecurity risks. The Audit Committee has the authority to obtain advice and input from external cybersecurity resources to assist in its oversight functions.

Management’s Role. Our management team is actively engaged in assessing and managing material risks from cybersecurity threats. We have established a robust framework for identifying, evaluating, and mitigating these risks.

11

Responsibility for Cybersecurity Risks. Our CIO has developed expertise in cybersecurity, compliance, enterprise architecture and design, data analytics, digital transformation, and customer service through years of experience in the information technology space. Our Director of Cybersecurity is designated as the senior executive responsible for cybersecurity and reports directly to our CIO. He has a comprehensive information technology background with 30 years of information technology experience, to include 10 years of systems architecture and design, 12 years of management, and 14 years of service in managing, or assisting in managing, cybersecurity related risks.

To support the CIO and Director of Cybersecurity in managing cybersecurity risks, we established a cross-functional cybersecurity team that includes experts in various aspects of information security. Combined, this team of employees includes individuals with over 85 years of prior work experience in cybersecurity and data protection. These individuals are responsible for the day-to-day implementation of our cybersecurity program.

Additionally, the cybersecurity management team regularly consults with additional resources, to include attorneys, accountants, human resources personnel, and other information technology specialists, to determine materiality for cybersecurity related risks and incidents. There is an established Incident Response Plan that clearly identifies escalation measures based on the impact to our organization.

Processes for Monitoring and Mitigating Risks and Incidents. We employ a comprehensive set of processes to monitor and mitigate cybersecurity risks. These processes include:

Continuous monitoring of network traffic and systems for signs of potential threats.
Regular vulnerability assessments and penetration testing to identify and address weaknesses.
Implementation of cybersecurity measures, such as firewalls, intrusion detection systems, and data encryption.
Employee training and awareness programs to educate staff about cybersecurity best practices.
Incident response plans to ensure swift and effective responses to cybersecurity incidents.
Software and Vendor Risk Assessments.
Vulnerability management solution to prioritize patches based on risk.
Privileged account management solutions for administrative access.

These processes are designed to prevent cybersecurity incidents, but also allows our organization to quickly detect and respond to incidents if they do occur. They are regularly reviewed and updated to adapt to evolving cybersecurity threats.

If any incidents occur, we have a comprehensive Incident Response Plan in place. The Plan includes materiality qualifiers based on the size and scope of the incident. Furthermore, there is an escalation matrix that identifies who is directly involved with managing the incident based on the severity. An Incident Report is compiled for all incidents, regardless of materiality. Management reviews the incident reports and ensures all incidents are mitigated and remediated effectively. These reports are shared with the CIO, CFO, and Audit Committee so they can effectively manage resources to reduce risk and prevent future incidents.

Reporting to the Board. As noted above, our CIO, Director of Cybersecurity, and cybersecurity team provide quarterly updates and reports to our Audit Committee on cybersecurity risks as well as a review of the processes described above. Our management personnel are also required to provide more frequent updates to the Audit Committee on major developments regarding cybersecurity matters. The Committee, in turn, provides regular updates to the Board on these matters.

12