WORTHINGTON ENTERPRISES, INC. - (WOR)

10-K Filing Date: July 30, 2024
Item 1C. — Cybersecurity

 

We have developed a cybersecurity program for identifying and mitigating risks to our information and information systems, including guarding against increased cybersecurity threats. We have a comprehensive cybersecurity program which includes risk management to identify cybersecurity threats that could adversely affect our information systems and compliance.

The Audit Committee has primary responsibility for oversight of cybersecurity matters. The Audit Committee receives quarterly updates on compliance and cybersecurity from the CIO and CISO. These updates, cover a range of topics, including the performance of our cybersecurity program against established goals and external standards, insights into the evolving cybersecurity landscape, current events and recent cybersecurity threats, and enhancements to our cybersecurity program.

The CIO has extensive leadership experience with 25 years of experience in information technology, project management, business applications including manufacturing. The CISO is responsible for overseeing our cybersecurity risk management program, in coordination with the CIO and our other business leaders, including in the legal, internal audit, finance and risk management departments. The CISO has extensive cybersecurity knowledge and skills gained from over 25 years of technical and business experience in the cybersecurity and information security fields. The CISO reports directly to the CIO who in turn reports directly to the Chief Financial Officer. The CISO receives reports on cybersecurity threats on an ongoing basis and, regularly reviews risks to identify and mitigate data protection and cybersecurity risks. The CISO and CIO also work closely with our legal department to oversee compliance with applicable legal, regulatory and contractual security requirements.

We actively maintain an enterprise risk management program that includes information technology and cybersecurity risk management. Management’s role is to identify, mitigate, guide and review the efforts of our business units, consider whether the residual risks are acceptable, and approve plans to address potentially material risks. Cybersecurity is a key risk management category within our enterprise risk management program.

Our cybersecurity program is designed to safeguard against an evolving threat landscape through effective identification, prevention, detection, response and recovery processes. Our cybersecurity risk management processes include frequent assessment of our top cybersecurity risks and mitigations.

Our cybersecurity and risk management program encompasses several key areas consisting of threat and vulnerability management that help to identify, prioritize and reduce cybersecurity gaps or weaknesses. We regularly educate and share best practices with our employees to raise awareness of cybersecurity threats creating a culture where everyone shares responsibility to help protect our sensitive data and information. All employees are regularly provided cybersecurity training and involved in phishing prevention campaigns to raise awareness. Our identity and access management program involves access controls for least privileged access and additional authentication methods. We have many cybersecurity systems including firewalls, intrusion detection systems, continuous monitoring by a full time Security Operation Center to defend against unauthorized access. Incident response exercises are performed using our response and ransomware playbooks ensuring our readiness to response to cybersecurity events. We have a risk management program for our critical third-party vendors focusing on mitigating risks from external sources. Those third-party applications are monitored and access is reviewed including evaluating System and Organization Controls (SOC) reports.

Our cybersecurity program’s effectiveness is based on recognized best practices, standards, and frameworks for cybersecurity and information technology, including periodic evaluation against established quantifiable goals and other external benchmarks, including the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) and several other security frameworks. The evaluation is conducted through periodic internal and external risk assessments and compliance audits. We regularly engage third parties in order to help conduct evaluations and assessments and to advise us on the effectiveness of our cybersecurity program.

To date, the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, and are not reasonably likely to materially affect us or our strategy, financial condition, liquidity or results of operations. It is possible that we may not implement appropriate controls if we do not detect a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate the risks. Even when a risk is detected, disruptive events may not always be immediately and thoroughly interpreted and acted upon.

 

 

19