Builders FirstSource, Inc. - (BLDR)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company maintains robust and comprehensive processes, procedures and controls to protect and secure its information systems and data infrastructure from cybersecurity threats. The Company’s cybersecurity program is led by its Chief Information Security Officer (“CISO”). The Company’s cybersecurity program interfaces with other functional areas within the Company, including but not limited to the Company’s business segments and information technology, legal, risk management, human resources and internal audit departments, as well as external third-party partners, to identify and understand potential cybersecurity threats. The Company regularly assesses and updates its processes, procedures and management techniques in light of ongoing cybersecurity developments.

Internally, the CISO coordinates oversight of reviewing security alerts, identifying and monitoring ongoing and potential cybersecurity threats, evaluating strategic business impacts of cybersecurity threats and developing programs and initiatives to educate the Company’s employees regarding cybersecurity. The CISO also manages the Company’s Security Incident Response Plan (the “Incident Response Plan”), which outlines action steps for the preparation, identification, triage, analysis, containment, eradication, recovery and reflection stages of a cybersecurity incident. The Incident Response Plan serves as the charter for the Company’s Security Incident Response Team (the “Incident Response Team”), which includes a strategic team comprised of executives from various cross-functional management teams, as well as a tactical team comprised of internal technical support roles and external third-party service providers. The Incident Response Plan provides how the Incident Response Team will analyze and, as necessary, escalate cybersecurity incidents both internally and with third-party service providers based on type and severity of the specific incident.

The Company also requires cybersecurity training for all active employees, focusing on the appropriate protection and security of confidential company and third-party information. Additionally, the Company provides quarterly cybersecurity awareness training that covers a broad range of security topics, including secure access practice, phishing schemes, remote work and response to suspicious activities. In addition to online training, employees are educated through several methods, including event-triggered awareness campaigns, recognition programs, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises.

The Company has engaged a third-party managed detection and response company to monitor the security of its information systems around-the-clock, including intrusion detection, and to provide instantaneous alerting should a cybersecurity event occur. The Company also maintains a cybersecurity insurance policy and has engaged a third-party digital forensics and incident response consultant and legal counsel on retainer.

The Company does not believe that any risks from cybersecurity threats, nor any previous cybersecurity incidents, have materially affected the Company. However, the sophistication of cyber threats continues to increase, and the preventative actions the Company has taken and continues to take to reduce the risk of cyber incidents and protect its systems and information may not successfully protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.

Governance

The Company’s Audit Committee and Board of Directors provide ultimate oversight of the Company’s cybersecurity risk management. The Audit Committee regularly reviews and discusses with management the strategies, processes, procedures and controls pertaining to the management of the Company’s information technology operations, including cyber risks and cybersecurity. The Company’s Chief Information Officer (“CIO”) provides quarterly reports to the Audit Committee regarding the evolving cybersecurity risk landscape, including emerging risks, as well as the Company’s processes, program and initiatives for managing these risks.

The Company’s CISO reports directly to the CIO, who in turn reports to the CFO. The CISO maintains the certified information systems security professional (CISSP) certification and GIAC G2700 (Certified ISO 27000 Specialist) and has over 20 years of

22


 

experience in cybersecurity. Under the direction of the CISO, the Company’s cybersecurity department continuously analyzes cybersecurity and resiliency risks to our business, considers industry trends and implements controls, as appropriate, to mitigate these risks. The team consists of cybersecurity professionals holding multiple certifications such as the CISSP, CEH (Certified Ethical Hacker), GSOM (GIAC Security Operations Manager), GCIA (GIAC Certified Intrusion Analyst), GCFA (GIAC Certified Forensic Analyst), GNFA (GIAC Network Forensic Analyst), GCTI (GIAC Cyber Threat Intelligence), CISM (Certified Information Security Manager) and CISA (Certified Information Systems Auditor). This analysis drives the Company’s long- and short-term cybersecurity strategies, which are executed through a collaborative effort within the IT department and are communicated to the Board of Directors regularly.