RPM INTERNATIONAL INC/DE/ - (RPM)

10-K Filing Date: July 25, 2024
Item 1C. Cybersecurity.

Our cyber-security risk strategy includes policies and procedures for assessing, identifying and managing material cybersecurity threats. Our program is based on the U.S. National Institute for Standards and Technology (NIST) cybersecurity framework and other applicable industry frameworks. Our cybersecurity posture is risk based, focused on the areas of higher risk to the company and associates. Our cybersecurity policies, standards and practices are integrated into our enterprise risk management approach, and cybersecurity risks are among the enterprise risks that are subject to oversight by the Board of Directors acting through the Audit Committee of the Board of Directors.

We use third party vendors to perform ongoing security monitoring, reporting and forensic analysis, as necessary including annual external penetration testing. Security standards are established and defined with respect to administrator accounts, backups, encryption, passwords, website certifications, antivirus software, endpoint management, firewalls, wi-fi networks, vulnerability scanning, server protection, patching, privacy by design, and data breach reporting. We perform ongoing employee cybersecurity awareness and training activities, which includes frequent phishing testing, and we maintain cyber insurance to provide coverage in the event a material cybersecurity incident arises.

We conduct annual internal audits to ensure compliance with its technology policies, security procedures and controls. Our third-party technology providers, consultants and vendors are vetted by our information security teams to assess cybersecurity risk and mitigation measures, where applicable.

We have significantly increased our cybersecurity investments over the last few years and continue to implement additional cybersecurity safeguards designed to detect and prevent cybersecurity incidents. Notwithstanding our increased cybersecurity investments and preparedness activities, threat actors and cybersecurity incidents still pose a risk to the security of our systems, facilities, and networks and to the confidentiality, availability and integrity of our data, including but not limited to intellectual property, confidential information and personal data. For more information on how a cybersecurity incident may impact the Company, refer to the risk factor titled “Data privacy, cybersecurity, and artificial intelligence considerations could impact our business,” in Item 1A of this Form 10-K.

While we have experienced data security incidents that have disrupted our operations in the past, to date, no data security incidents have had or are materially likely to have, a material impact on RPM.

Cybersecurity incidents are investigated and remediated in accordance with our incident response procedures and other policies and procedures. Cybersecurity is overseen by the Audit Committee of the Board of Directors. The Senior Director - Information Security coordinates with and directs cybersecurity initiatives through information technology and cybersecurity personnel throughout RPM.

The Senior Director - Information Security has over 15 years’ experience in the information technology and cybersecurity field, including previous roles in security architecture, audit and governance. The Senior Director - Information Security recently completed a CISO Academy Workshop, where he gained valuable insights to help improve our cybersecurity posture and program while also better aligning it to our overall business strategy and operating model. He received a BA in math and computer science from Ohio Wesleyan University and holds an Information Systems Auditor certification.

The Audit Committee regularly receives information and reports from the Senior Director - Information Security and other executives responsible for identifying and assessing the scope, nature and impact of cybersecurity risks, incidents and mitigation efforts.

In addition to the Audit Committee, the full Board of Directors receives regular annual reports on the status of our cybersecurity risk, incidents and mitigation efforts. We utilize a technology-based reporting system to identify and log data-related events.

Cybersecurity incidents are assessed for actual or potential impact on the business and any relevant data subjects. Materiality of cybersecurity incidents is assessed and determined by the Cybersecurity Team, which has been assigned this responsibility by our Disclosure Committee. The Cybersecurity Team consists of the Chief Financial Officer, the General Counsel, the Vice President - Commercial Excellence, the Vice President - Global Systems and the Senior Director - Information Security. The Senior Director - Information Security reports regularly to our Disclosure Committee. In the event a cybersecurity incident is determined to have, or is likely to have, a material impact on RPM, the Chair of the Audit Committee of the Board of Directors is directly notified by the General Counsel in coordination with the Chief Financial Officer and Senior Director - Information Security.