Simpson Manufacturing Co., Inc. - (SSD)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our cybersecurity risk management efforts are an integral part of our overall risk management processes, and we are deeply committed to safeguarding our digital and information technology environment for our employees, customers and vendors. We employ a robust, global and multi-layered security strategy, known as “defense-in-depth,” to assess, identify and manage cybersecurity risks and protect our cyber work environment from potential threats and vulnerabilities. These risks, threats and vulnerabilities include those that could result in significant operational disruption to the Company, such as production disruption, business downtime or loss of containment, as well as risks that could have significant reputational or compliance/regulatory impact.
The Simpson Information Security Team monitors information security risks that target both technology and manufacturing environments and identifies potential risks to Simpson’s information security posture. Any identified risks are prioritized in terms of impact to Simpson’s information security posture and, if critical, addressed immediately or added to Simpson’s information security roadmap. To supplement our internal cybersecurity resources, we also engage external third parties to perform information security assessments, penetration tests and related services to enhance our information security program.
Risks Associated with Third-Party Service Providers
In addition, we implement robust processes to oversee and manage risks associated with our business arrangements with third-party service providers. All new Simpson third-party business agreements are reviewed and assessed by our Information Security Team. We also perform information security program investigations on the security posture of, and assess any publicly known information security events related to, these third-party service providers. If a third party service provider with a business agreement with Simpson experiences an information security breach or incident, our Information Security Team reviews and assesses such event to understand Simpson’s overall exposure to the security incident.
Insurance
We maintain cybersecurity insurance coverage at industry standard levels as a part of our comprehensive insurance portfolio to help mitigate risk in the event an information security event occurs.
Risks from Cybersecurity Threats
Despite our security measures, our information technology and infrastructure may remain vulnerable to disruptions, including as a result of attacks by increasingly sophisticated intruders or others who attempt to cause harm to, or otherwise interfere with the normal use of our systems. We have experienced targeted and non-targeted cybersecurity attacks and incidents in the past that have resulted in unauthorized persons gaining access to our information systems and computer networks, and we could in the future experience similar attacks. On October 11, 2023, we announced that we had experienced disruptions in our Information Technology (IT) infrastructure and applications resulting from a cybersecurity incident. We identified unauthorized activity in our IT systems and took immediate steps to stop, remediate and investigate such activity. We also notified relevant law enforcement. The incident, which caused disruption of our business operations for approximately three days, has been
24
resolved due to steps we took to address the incident. As a result of our ability to restore our operations within three days, we were able to fulfill our backlog of orders caused by the operational disruption within one week, and therefore, we experienced no material financial impact to our business.
We do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned “Risks Relating to Our Intellectual Property and Information Technology” under Part I, Item 1A “Risk Factors” above.
Governance
Board and Committee Oversight
Although our full Board of Directors is ultimately responsible for risk oversight, our Board is assisted in discharging its risk oversight responsibility by its committees. The Audit and Finance Committee of the Board is responsible for providing oversight of our information security program and cybersecurity risks. In connection with this oversight role, the Audit and Finance Committee receives information technology updates from management at least quarterly. Cybersecurity risks facing the Company and updates on the Company’s practices and progress to mitigate such risks are also the subject of management reports to the Audit and Finance Committee on a more frequent basis, as necessary or appropriate.
Management’s Role in Assessing and Managing Risk
The Company’s information security efforts are led by our Senior Vice President, Information Technology (“SVP, IT”) and our Director of Information Security (“IT Director”), supported by our executive management team. These efforts are designed to address information security governance and risk, product security, identification and protection of critical assets, third-party risk, security awareness, cyber defense operations and related risk management matters. Our SVP, IT and IT Director have an average of over 35 years of prior work experience in various roles involving information technology, including security, auditing compliance, systems and programming. These individuals have relevant educational and industry experience, including holding similar positions at other large companies.
Our SVP, IT provides relevant cybersecurity and information technology reports to the Audit and Finance Committee, and to the executive leadership team. These reports are provided at quarterly Audit and Finance Committee meetings and at our quarterly Information Technology Steering Committee (“IT Steering Committee”) meetings. These reports typically include analyses of recent significant cybersecurity threats and incidents at the Company and across the industry, as well as a review of our security controls, assessments and program maturity, risk mitigation status, and a review of our third-party service providers as appropriate. Simpson’s information security roadmap and posture are also reviewed quarterly with members of the executive leadership team and the Audit and Finance Committee. In accordance with our information security program, any information security event is assessed and reviewed by our IT Steering Committee.
The IT Steering Committee is responsible for assessing and reviewing our information security program and the Company’s material risks from cybersecurity threats. Additional supervision and management is provided by our IT Leadership team, comprised of our SVP, IT; VP, IT Infrastructure and Operations; VP, IT Enterprise Applications; and International IT Director.