Risk Management and Strategy

Martin Marietta prioritizes the management of cybersecurity risk and the protection of information across the enterprise by embedding data protection and cybersecurity risk management in its operations. The Company’s processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into the Company’s overall risk management system and processes.

As a foundation of this approach, the Company has implemented a layered governance structure to help assess, identify and manage cybersecurity risks. Martin Marietta’s cybersecurity policies encompass incident response procedures and information security. In order to help develop these policies and procedures, the Company monitors the privacy and cybersecurity laws, regulations and guidance applicable to, as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks. The Company partners with leading cybersecurity companies and organizations, leveraging third-party technology and expertise, to monitor and test the performance and effectiveness of its cybersecurity controls and defenses.

As described in Item 1A “Risk Factors” of this Form 10-K, the Company faces risks from cybersecurity threats that could have material adverse effect on its business including its business strategy, results of operations or financial condition. While the Company has experienced attacks on the security of its information technology systems to date, management is not aware that the Company has experienced a material cybersecurity incident during the 2023 fiscal year.

Governance

As part of its overall risk management approach, the Company prioritizes the identification and management of cybersecurity risk at several levels, including Board oversight, day-to-day executive risk management and employee training. The Audit Committee, comprised of independent directors from the Board, oversees the Board’s responsibilities relating to the operational (including information technology risks, business continuity and data security) risk affairs of the Company. The Audit Committee is informed of such risks through quarterly reports from the Senior Vice President, Chief Information Officer (CIO), who oversees the implementation and compliance of information security standards and mitigation of cybersecurity related risks, assesses and manages the cyber risk management program, informs senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents with the support of the cybersecurity incident management team and supervises such efforts. The Company’s cybersecurity incident management team has decades of experience selecting, deploying and operating cybersecurity technologies, initiatives and processes as well as managing enterprise risk. The Incident Response Leadership Committee, which includes senior executives across the Company, is alerted as appropriate to cybersecurity incidents. The CIO communicates to the Audit Committee regarding the activities of the Incident Response Leadership Committee.

The Company also holds annual employee trainings on cybersecurity, conducts phishing tests and generally seeks to promote awareness of cybersecurity risk through communication and education of its employees.