TREX CO INC - (TREX)
10-K Filing Date: February 26, 2024
Cybersecurity
Cybersecurity Risk Management
The Company has systems and processes for identification, assessment, and management of material risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. The Company’s multi-faceted approach includes deploying applications and control activities to actively monitor and mitigate potential threats to the Company’s IT environment.
These activities include, but are not limited to, engaging an external third-party to monitor information systems security events, conducting annual security training of employees, testing employees via periodic phishing campaigns, conducting system vulnerability scanning, utilizing a patching program to remediate critical patches, and utilizing an external third-party to perform testing to identify gaps in the Company’s security program. The Company also performs third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. Additionally, for providers of software-as-a-service and other services that hold Company data, the Company reviews and assesses industry standard certifications such as System and Organization Controls (SOC) 1 or SOC 2 reports and cybersecurity preparedness questionnaires. Mitigation of risk efforts are coordinated by the Company’s Director of Information Security, utilizing internal resources and third-party providers.
The Company has not had any cybersecurity risks that have materially affected the Company, including its business strategy, results of operations, or financial condition. Cybersecurity risks are disclosed in Part I Item 1A. Risk Factors, incorporated herein by reference.
Cybersecurity Governance
Our cybersecurity programs, including the cross-functional management committees responsible for identifying, assessing, and mitigating cybersecurity risks and incidents, are owned by our Chief Information Officer. Day-to-day administration of the cybersecurity programs are led by our Director of Information Security, a direct report to the Chief Information Officer. The Chief Information Officer has 27 years of technology leadership experience and a Master of Business Administration with a concentration in Management Information Systems. The Director of Information Security has 26 years of experience in infrastructure and security operations and a degree in Information Technology Management. The Director of Information Security is the chair of the Company’s Information Security Committee. The activities of the Information Security Committee are reviewed by the Executive Information Security Oversight Committee, which is comprised of members of our senior leadership team including our Chief Information Officer, the Senior Vice President, Chief Financial Officer, Senior Vice President, Chief Legal Officer and Secretary and Senior Vice President, Chief Human Resources Officer. The Executive Information Security Oversight Committee facilitates notification to the Audit Committee of emerging cybersecurity risks, and threats, the status of projects to strengthen the Company’s information security systems, and updates on any cybersecurity incidents.
The Audit Committee of the Board of Directors oversees cybersecurity related risks. Members of the Audit Commitree receive the above referenced notifications and updates on a quarterly basis from the Company’s Chief Information Officer as the designated representative of the Executive Information Security Oversight Committee.
Additionally, the Company has a Written Information Security Policy and a Cybersecurity Incident Response Plan that provides the above-referenced processes by which such committees are informed of and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and material risks from cybersecurity threats.
21