ARMSTRONG WORLD INDUSTRIES INC - (AWI)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY

Our use of information systems for collecting, using, transmitting and storing data is a vital aspect of our business operations. Information systems are inherently vulnerable to a range of cybersecurity threats that could potentially have a material impact on our strategy, financial condition, liquidity or results of operations.

Cybersecurity Risk Management and Strategy. The Company actively maintains an enterprise risk management program. Management’s role is to identify, mitigate, guide and review the efforts of our business units, consider whether the residual risks are acceptable, and approve plans to deal with potentially material risks. Cybersecurity is a key risk management category within our enterprise risk management program.

The Vice President and Chief Information Officer (“CIO”), who also serves as a member of the Company’s enterprise risk counsel, works closely with key business leaders and functions to develop and enhance the Company’s cybersecurity strategy. Our cybersecurity program is designed to safeguard against an evolving threat landscape through effective prevention, detection, response and recovery processes. Our cybersecurity risk management processes include frequent assessment of our top cyber risks and mitigations.

Our approach encompasses several key areas consisting of threat and vulnerability management that help to identify, prioritize and reduce cybersecurity gaps or weaknesses. Identity and access management serves as an integral part of our strategy and involves access controls and authentication methods. Data protection and privacy practices, including data loss prevention, safeguards sensitive information. We also deploy cybersecurity systems, such as firewalls, intrusion detection systems and continuous monitoring, to provide defenses against unauthorized access. Incident response exercises are regularly performed to ensure readiness for potential cybersecurity incidents. Employee training and awareness programs are conducted to minimize risks associated with human error and foster a culture of security consciousness. Finally, vendor risk management practices are employed and focus on monitoring the posture of our third-party vendors to mitigate risks from external sources. In addition, we perform user access reviews for third-party applications, and for certain applications, obtain and review System and Organization Controls reports to assess our critical vendors’ cybersecurity preparedness both at inception and on an ongoing basis.

Our cybersecurity program’s effectiveness is periodically evaluated against established quantifiable goals and other external benchmarks, including the National Institute of Standards and Technology security framework. This evaluation is carried out through periodic internal and external risk assessments and compliance audits. We regularly engage third parties in order to help conduct these evaluations, assessments and audits, advise us on the effectiveness of our cybersecurity processes and assist the Company in remediating any identified vulnerabilities.

To date, the risks from cybersecurity threats, including as a result of any previous immaterial cybersecurity incidents, have not materially affected, or are reasonably likely to materially affect, our strategy, financial condition, liquidity or results of operations.

Governance. Our Board of Directors has responsibility for oversight of management’s cybersecurity risk program and receives regular updates from our CIO. These updates, provided on a semi-annual basis, cover a range of topics, including the performance of our

18


 

cybersecurity program against established goals and external standards, insights into the evolving cybersecurity landscape, current events and recent cybersecurity threats, and progress in enhancing the Company’s cybersecurity posture.

Our CIO holds an advanced degree in Information Technology with over 20 years of experience, including senior leadership roles in technology at various companies. In addition, our CIO leads the Information Security Steering Committee, a group comprised of key information technology employees and business leaders, including our Senior Vice President, Chief Financial Officer and Senior Vice President, General Counsel and Chief Compliance Officer. This committee meets regularly to review and discuss the Company's cybersecurity strategies and developments, ensuring a comprehensive approach to managing cybersecurity risk.