U.S. SILICA HOLDINGS, INC. - (SLCA)
10-K Filing Date: February 27, 2024
ITEM 1C.CYBERSECURITY
Cybersecurity represents a critical component of our overall approach to risk management. Our cybersecurity policies, standards and practices are fully integrated into our enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by our Board of Directors (the “Board”). Our cybersecurity policies, standards and practices follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. We generally approach cybersecurity threats through a cross-functional, multilayered approach, with specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to us; (ii) preserving the confidentiality, security, integrity, and availability of the information that we collect and store to use in our business; (iii) protecting our intellectual property; (iv) maintaining the confidence of our customers, clients and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required.
Risk Management and Strategy
Consistent with overall ERM policies and practices, our cybersecurity program focuses on the following areas:
•Vigilance: We maintain a global presence, with cybersecurity threat operations functioning 24/7 with the specific goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans.
•Systems Safeguards: We deploy systems safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence.
•Collaboration: We utilize collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks.
•Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
24
•Training: We provide routine mandatory training for personnel regarding cybersecurity threats, which reinforces our information security policies, standards and practices, and such training is scaled to reflect the roles, responsibilities and information systems access of such personnel.
•Incident Response and Recovery Planning: We have established and maintain comprehensive incident response and recovery plans that fully address our response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
•Communication, Coordination and Disclosure: We utilize a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, risk management, internal audit and other key business functions, as well as the members of the Board and the Audit Committee of the Board in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner.
•Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the company’s ERM function, our Chief Information Officer, the Director of IT Security & Risk Management, other members of management and relevant management committees and councils, including the Information Security Governance Committee.
A key part of our strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, threat modeling, penetration and vulnerability testing and other assessments and exercises focused on evaluating the effectiveness of our cybersecurity measures. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.
Governance
The Board, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that our management implements to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Board and the Audit Committee also are informed of any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. At least once each year, the Board and the Audit Committee discuss our approach to cybersecurity risk management with our Chief Information Officer.
Our Chief Information Officer and the Director of IT Security & Risk Management are the members of management that are principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the company. The Chief Information Officer and the Director of IT Security & Risk Management work in coordination with the other members of the Information Security Governance Committee (the “ISGC”), which includes our Chief Financial Officer, General Counsel, Environmental Health & Safety Director, Vice President of Finance, Vice President of Information Technology, Executive Vice President of Industrial & Specialty Products, and the Director of Corporate Human Resources & Talent Management.
The ISGC was established by the Audit Committee and its primary responsibility is to provide oversight to the Information Systems Security Program (“ISSP”) to align information systems security activities to business goals, effectively manage risk, and ensure compliance. The ISGC is chaired by the Director, IT Risk Management, with the Chief Information Officer as an alternate. The ISGC’s responsibilities include developing policies and supporting frameworks, controls, and procedures to protect company, customer, and employee data from cybersecurity breaches; establishing organizational risk tolerance and developing information security policies to align with this tolerance level; and ensuring adequate security controls, as specified in policies or otherwise agreed upon, to manage risk and compliance. The ISGC has developed an ISSP scorecard to communicate cybersecurity incidents and activity and report program accomplishments and provides quarterly updates to the Audit Committee, including the ISSP scorecard, and at least annual updates to the Company’s extended leadership team.
25
Our Chief Information Officer and the Director of IT Security & Risk Management, in coordination with the ISGC, work collaboratively across the company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our incident response and recovery plans. Through the ongoing communications from these teams, the Chief Information Officer, the Director of IT Security & Risk Management, and the ISGC monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and the Chief Information Officer reports such incidents to the Audit Committee when appropriate.
Our Chief Information Officer has served in various roles in information technology and information security for over 25 years, including serving as Chief Information Officer for us for the past four and one-half years, as well as for another large public company, a private consulting firm providing technology and cybersecurity advisory services and a privately held fuel oil blending and distribution company. The Chief Information Officer holds an undergraduate degree in management and leadership from Northeastern University.
Our Director of IT Security & Risk Management holds an undergraduate degree in computer science and a master’s degree in business administration from Texas Tech University and has served in various roles in information technology for over 20 years, including serving as an IT security consultant and performing IT audit work for PricewaterhouseCoopers, Deloitte, and Grant Thornton. He then returned to the industry to oversee the IT security program for classified systems at a publicly-traded defense contractor. He next joined a publicly-traded energy services company to lead the IT security program before joining us in 2019. Certifications he has held at various points throughout his career include the following – Certified Information Systems Auditor (CISA), Check Point Certified Security Administrator (CCSA), Check Point Certified Security Expert (CCSE), Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Microsoft Certified Professional (MCP).
We do not currently believe cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including its business strategy, results of operations, or financial condition; however, we could experience a cybersecurity incident that materially affects us in the future. See “Risk Factors—Operational Risks” for additional discussion of cybersecurity risks to our business.
26