Summit Materials, Inc. - (SUM)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
As part of our enterprise risk management function, we have implemented processes to assess, identify and manage the material risks facing the company, including from cyber threats. Our enterprise risk management function represents our overall risk management system. Our cybersecurity program is built upon recognized security frameworks. We believe that our processes provide us with a comprehensive assessment of potential cyber threats. We conduct regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage the material risks from cyber threats include the risks arising from threats associated with third party service providers, including cloud-based platforms.
We have developed a cyber incident response plan which provides a documented framework for handling security incidents and facilitates coordination across multiple parts of the company. Dedicated members of our information security team, led by our Vice President, Infrastructure, constantly monitor threat intelligence feeds, handles vulnerability management and responds to incidents. In addition, we periodically perform simulations and drills at both a technical and management level.
Internally, we have a security awareness training platform which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness training platform offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on a periodic basis, and it is supplemented by testing initiatives, including periodic phishing tests.
From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For instance, we have engaged an independent cybersecurity advisor to lead a cybersecurity crisis simulation exercise that has been used by our senior leaders to prepare for a possible cyber crisis. We have also partnered with an industry expert’s incident response group to help deconstruct, manage and mitigate impact from any cyber-related incident. We also purchase insurance to help protect us against the risk of cybersecurity breaches.
To date, we have not had a significant cybersecurity breach or attack that has had a material impact on our business or results of operations, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, as discussed more fully under “Item 1A. Risk Factors–Risks Related to Our Industry and Our Business–Other Risks–We are dependent on information technology. Our systems and infrastructure face certain risks, including cyber security risks and data leakage risks,” cyber-attacks are continually evolving to become more sophisticated and, while we have invested in the protection of our data and information technology to reduce the risk of a cyber-attack, there can be no assurance that our efforts will be effective in preventing breakdowns or breaches in our systems.
Governance
Role of the Board
Our Board of Directors exercises direct oversight of our strategic risks through its oversight of our enterprise risk management function. The Audit Committee of the Board of Directors in particular is responsible for reviewing our IT security controls and the adequacy of our IT security program, compliance and controls with management. As part of such oversight, the Board of Directors, including members of the Audit Committee, receives periodic reports from our Chief Information Officer and Vice President, Infrastructure to assess the primary cybersecurity risks we face. Our Chief Accounting Officer reports directly to the Board of Directors on our company-wide enterprise risk management, which includes an evaluation of cyber risks and threats.
Role of management
Our Chief Information Officer, together with our Vice President, Infrastructure, is responsible for the day-to-day management of our cybersecurity risks.
32
We have a security incident response plan in place. We use this incident response plan as part of the process we employ to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The incident response plan is a set of coordinated procedures and tasks that our incident response team executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents.
Our Chief Information Officer and our VP, Infrastructure have extensive experience in the information technology area, including cybersecurity. In particular, our Chief Information Officer has over 10 years of professional experience in the information security area, including as a result of his service as an IT VP at companies such as Prologis, and holds certifications relating to cybersecurity. Further, our VP, Infrastructure has over 15 years of professional experience in the information security area, including as a result of roles of increasing responsibility at Summit Materials and his service as a senior systems engineer at various companies.