POTLATCHDELTIC CORP - (PCH)
10-K Filing Date: February 15, 2024
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws; other litigation and legal risk; and reputational risk. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We devote significant resources to protecting and improving the security of our systems and employ a range of tools and services, including network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to inform our professionals’ risk identification and assessment.
We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards set by the National Institute of Standards and Technology (NIST), as well as by engaging with experts to attempt to infiltrate our information systems (as defined in Item 106(a) of Regulation S-K).
To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents (as defined in Item 106(a) of Regulation S-K), we undertake the below listed activities:
Additionally, we carry information security risk insurance coverage that we believe to be appropriate for the potential losses arising from a cybersecurity incident. However, this insurance may be subject to certain exceptions and may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly having a third-party qualified security assessor review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity
32
specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform pre-engagement assessments for all third-party service providers based on the sensitivity of the data that will be handled and stored by that third-party service provider. Annually, we review Service Organization Control (SOC) 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing and recording company or employee data.
Cybersecurity is an important part of our risk management processes and an area of continued focus for our board and management. The audit committee of the board of directors is responsible for the oversight of the company’s enterprise risk management program, including reviewing and discussing with management at least annually (i) management’s report on risk management, including management’s assessment of risk exposure (for example, risks relating to operations, climate change, cybersecurity threats and regulatory compliance, among others), the processes in place to identify and manage significant risks, and steps taken by management to control or mitigate such exposures, and (ii) management’s report on cybersecurity risk management, which may include a review of the company’s cybersecurity framework, priorities, risk profile, and processes, controls and strategy to mitigate data protection and cybersecurity risks. Pursuant to the company's incident response plan, management would discuss with the audit committee any significant cybersecurity incidents that may have a material effect on the company’s business or its financial statements and management’s mitigation and remediation plan for such incidents.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Information Technology Director (IT Director) and Director of Information Security (IS Director). Our IS Director has over ten years of experience managing information security, developing cybersecurity strategy and implementing relevant and effective cybersecurity programs. Together, our IT Director and IS Director hold numerous credentials, including a Bachelor of Science in Cybersecurity & Information Assurance, Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Global Information Assurance Certification (GIAC), Certified Forensics Analyst (GCFA), GIAC Certified Incident Handler (GCIH), and others.
Our IT Director reports directly to the Chief Financial Officer, which enables quick notification to the entire management team of any significant cybersecurity incidents. The management team and the enterprise risk committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our IT Director also reports at least annually to the audit committee about cybersecurity threat risks, among other cybersecurity related matters, and our Chief Executive Officer reports regularly to the chair of our board of directors, and the full board of directors, as appropriate, about any emerging threats to our operations, at scheduled board meetings and through communications between board meetings.
We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. For more information about cybersecurity risks we face, see the risk factor titled “Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information, and adversely impact our reputation and results of operations” included as part of our risk factor disclosures within Part I – Item 1. Business, Item 1A. Risk Factors contained in this report.