NUCOR CORP - (NUE)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Nucor recognizes the importance of developing, implementing, and maintaining effective cybersecurity measures designed to protect our information systems and the confidentiality, integrity, and availability of our data. We face a number of information technology and cybersecurity threats which could have an adverse effect on our business and results of operations.

Notwithstanding the Company’s cybersecurity framework and preventative strategies, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See “Item 1A. Risk Factors” for a discussion of cybersecurity risks.

25


 

Risk Management and Strategy

Overview

We have developed and implemented a cybersecurity risk management program that is intended to enable us to assess, identify, and manage risk associated with cybersecurity threats. Our program is based on the Cybersecurity Framework promulgated by the National Institute of Standards and Technology and other applicable industry standards, and includes the following key elements:

identification and assessment of cybersecurity threats based on internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources such as those made available by the United States Cybersecurity and Infrastructure Security Agency;
technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, technical controls, and employee education and awareness;
processes to detect the occurrence of cybersecurity events, and maintenance and regular testing of incident response and recovery and business continuity plans and processes; and
a third-party risk management process to manage cybersecurity risks associated with our service providers, suppliers, and vendors.

The program is designed to foster a culture of cybersecurity risk management across the Company.

Integrated Overall Risk Management

Assessing, identifying, and managing cybersecurity-related risks is integrated into our overall risk management framework. The Company conducts an annual cybersecurity risk assessment and reports the most significant risks and associated planned mitigation strategies to the Audit Committee of the Board of Directors. The annual risk assessment is carried out under the supervision of the President of Nucor Business Technology, the Company’s Cybersecurity Director, and the Company’s Vice President and Corporate Controller. See “Governance” below. The Board also regularly receives focused presentations regarding cybersecurity risks from the Company’s Cybersecurity Director.

Third-Party Engagement

Due to the complexity and ever-changing nature of cybersecurity threats, Nucor engages a range of external experts to assist in its assessment, identification, and management of risks from cybersecurity threats. These include cybersecurity assessors, forensic and incident response experts, and auditors to review the Company’s cybersecurity posture and responsive efforts. Our relationships with these external partners enable us to leverage their expertise with the goal of maintaining best practices.

Oversight of Third-Party Risks

Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact Nucor in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. Those processes include limiting the exposure of our information systems to external systems to the least practicable amount, assessing the third parties’ information security practices before allowing them to access our information systems or data, requiring the third parties to implement appropriate cybersecurity controls in our agreements with them, and conducting ongoing monitoring of their compliance with those requirements. We also utilize third-party risk and compliance monitoring services to monitor our service providers, suppliers, and vendors and to augment the effectiveness of our risk mitigation efforts in this area.

26


 

Risks from Cybersecurity Threats

As of the date of this report, no risks from cybersecurity threats, including as a result of cybersecurity incidents we have experienced in the past, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Governance

The Company seeks to ensure effective governance in managing risks associated with cybersecurity threats, as more thoroughly described below.

Board of Directors Oversight

The Audit Committee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. The Audit Committee is composed of directors with a wide range of experience, including risk management and controls, and technology. See “Integrated Overall Risk Management” above.

Management’s Role in Cybersecurity Risk Management

A division of the Company known as Nucor Business Technology, or NBT, is responsible for the Company’s information technology needs, including cybersecurity risk assessment and management. NBT’s cybersecurity function is led by the Cybersecurity Director, who reports to the President of NBT, who in turn reports to the Company’s Chair, President, and Chief Executive Officer. The current Cybersecurity Director has twenty years of experience in the cybersecurity field and has broad expertise in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, and incident response.

The Company also has a Risk Committee composed of the following members of the Company’s management:

Executive Vice President, Business Services & General Counsel
President, Nucor Business Technology
Vice President and Corporate Controller
Vice President and General Manager, Corporate Legal Affairs
General Manager of Internal Audit
Cybersecurity Director
Manager of External Reporting

The Risk Committee is responsible for overseeing the Company’s response to cybersecurity incidents. The Risk Committee and the Chair, President, and Chief Executive Officer inform the Audit Committee and the Board of Directors on cybersecurity risks.

Monitoring of Cybersecurity Incidents

The Cybersecurity Director implements and oversees our processes for regularly monitoring our information systems. This includes security measures and regular audits to identify potential issues. In the event of a cybersecurity incident, we have an established incident response plan that requires prompt notification of the Cybersecurity Director or their designee, who in turn oversees our assessment of and response to the incident. The Cybersecurity Director is also responsible for informing the Risk Committee of cybersecurity incidents, which in turn has a detailed process for assessing the impacts of incidents and monitoring the Company’s mitigation and remediation efforts. Depending on the nature of the incident,

27


 

this process also provides for escalating notification to senior executives, including the Chair, President, and Chief Executive Officer and to the Board of Directors.