BlueLinx Holdings Inc. - (BXC)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT

Our risk management program includes focused efforts on identifying, assessing and managing cybersecurity risk, including the following:

A robust information security training program that requires all company employees with access to our networks to participate in regular and mandatory training on how to be aware of, and help defend against, cyber risks, combined with periodic testing to measure the efficacy of our training efforts.

Alignment of our program with the National Institute of Standards and Technology Cybersecurity Framework to prevent, detect and respond to cyberattacks.

Continuous and robust testing of our systems to assess our vulnerability to cyber risk, which includes targeted penetration testing, tabletop incident response exercises, periodic audits of our systems by outside industry experts and regular vulnerability scanning.
22

Table of Contents

Engaging external cybersecurity experts in incident response development and management.

Business continuity plans and critical recovery backup systems.

The Company’s cyber risk management program is supervised by a dedicated Chief Information Officer whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes, as well as managing the Company’s information security and risk management awareness program. We provide regular awareness training to our employees, including periodic phishing tests, to help identify, avoid and mitigate cybersecurity threats. We also periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed.

CYBERSECURITY INCIDENT RESPONSE PROCESS

We maintain and actively update a cybersecurity incident response plan that outlines the steps we take to identify, investigate and take action in response to any potentially material cyber incidents. Our incident response plan ensures that our Chief Information Officer, members of our senior management team and select members of our legal staff, are timely informed of and consulted with respect to any potentially material cyber incidents.

BOARD OVERSIGHT OF CYBER RISK

Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee, which provides advice and guidance on the adequacy of the Company’s initiatives on, among other things, cybersecurity risk management. The Chief Information Officer presents regular updates to the Audit Committee and the full Board of Directors, on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, and the emerging threat landscape. The Company also engages third parties to periodically evaluate and audit aspects of the Company’s information security programs, including by conducting vulnerability assessments and penetration testing, and the results of those findings are reported to the Audit Committee and used to help identify potentially material risks and prioritize certain security initiatives.

We face a number of cybersecurity risks in connection with our business. Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations or financial position. See Item 1A, Risk Factors, of this Annual Report on Form 10-K for further discussion of cybersecurity risks.