Vulcan Materials CO - (VMC)
10-K Filing Date: February 22, 2024
cybersecurity
We have a cross-departmental approach to addressing cybersecurity risk, including input from employees and our Board of Directors (the "Board"). The Board, Audit Committee, senior management and our Risk Management Committee (a taskforce led by senior corporate officers that draws on the subject matter expertise of senior managers from various functional departments and from line operations management) devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Key enterprise-level cybersecurity risks are incorporated into the Risk Management Committee’s framework and are assessed throughout the year. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include an IT Security Policy and Cyber Incident Response Plan, as well as other policies that directly or indirectly relate to cybersecurity, non-public information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.
Our Chief Information Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. Our Chief Information Officer has served in this role since April 2022 and has 28 years of experience in Information Technology. He earned a bachelor’s degree in Computer Science and a master’s degree in Information Technology. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees with computer access are asked to complete cybersecurity training at least once per year and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings.
We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT cybersecurity team regularly monitors cybersecurity threats and alerts and meets to discuss threat levels, trends and remediation. The team regularly collects data on risk areas and conducts an annual risk assessment. Further, we conduct periodic external penetration tests and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees and vendors. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our Internal Audit team conducts an annual review of critical third-party hosted applications with a specific focus on any sensitive data shared with third parties. User access reviews of critical hosted applications are required at least annually, and System and Organization Controls (SOC) 1 or SOC 2 reports provided by the vendors are reviewed annually. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
The Audit Committee and the full Board actively participate in discussions with management and among themselves regarding cybersecurity risks. The Audit Committee performs an annual review of our cybersecurity program, which includes discussion of management’s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. The Audit Committee’s annual review also includes review of recent enhancements to the Company’s defenses and management’s progress on its cybersecurity strategic roadmap. In addition, the Board receives semi-annual updates from the Chief Information Officer. Further, at least annually, the Board receives updates on the Company’s Crisis Management Guide, which includes, among other things, the Cybersecurity Incident Response Plan. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on these topics. For example, the Board has hosted an expert to discuss developments in the cybersecurity threat landscape and to review our performance at our most recent tabletop exercise.
We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “We are dependent on information technology systems (our own and those of our service providers such as Amazon Web Services), and these systems contain non-public data about our business, employees, suppliers and customers” in Item 1A “Risk Factors.”