Page last updated on July 16, 2024
MASCO CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 07:20:49 EST.
Filings
10-K filed on 2024-02-08
MASCO CORP /DE/ filed a 10-K at 2024-02-08 07:20:49 EST
Accession Number: 0000062996-24-000006
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Cybersecurity risk is a part of our overall enterprise risk management assessment. Our cybersecurity program is modeled on the National Institute of Security Technology Cybersecurity Framework (NIST CSF) which provides the governance structure for our identification of, protection against, detection of, response to and recovery from cybersecurity threats and incidents, including those associated with our use of third-party applications and service providers. Key components of our cybersecurity program include: - an enterprise organizational framework that consists of enterprise leaders that oversee our cybersecurity governance, including policies and standards, and functional business unit leaders that implement our cybersecurity policies; - the identification of our cybersecurity risks and vulnerabilities and the implementation of protections against cybersecurity threats and incidents, including regular training to our employees; - continual global threat monitoring and detection, in partnership with third-party service providers; - a process for assessing the severity of cybersecurity threats, identifying whether the cybersecurity threats are associated with a third-party service provider, and implementing an appropriate response and resolution to cybersecurity incidents, as necessary; and - risk-based cybersecurity audits led by our internal audit function, which include cybersecurity control maturity assessments (based on NIST CSF), as well as attack simulations and penetration testing performed by third-party service providers. Our Board of Directors has overall oversight responsibility for our enterprise risk management and compliance programs, including cybersecurity. Our Board is responsible for ensuring that management has processes in place designed to identify and assess cybersecurity risks to which we are exposed, implement the appropriate protections to address such risks, identify cybersecurity threats and respond to and resolve cybersecurity incidents. Management is responsible for identifying and assessing material cybersecurity risks on an ongoing basis and for developing, managing and implementing our cybersecurity program to assure that our potential cybersecurity risk exposures are monitored and appropriate mitigation measures are implemented. Our cybersecurity program is overseen by our Vice President, Information Technology and our Director, Enterprise Security. Our Vice President, Information Technology has significant professional experience in leading the information technology function and our Director, Enterprise Security has held various roles in cybersecurity and is an ISC2 Certified Information Security Professional (CISSP (R) ). Each periodically participates in various industry cyber forums and communicates industry best practices to the appropriate internal information security professionals. Our cybersecurity program is managed and implemented by a team of enterprise level and business unit level information security professionals, partnering with third party advisory services, as needed. The team’s focus is on our operational response to cybersecurity threats, exposure analysis, security governance and the design and implementation of our security controls. Our Incident Response Plan, developed by management, governs our process to respond to, remediate and resolve material cybersecurity incidents, including providing appropriate internal and external communication of such incidents. 15 At least annually, our Vice President, Information Technology discusses with our Board a report on cybersecurity, including an update regarding our cybersecurity risks, mitigation activities and industry developments. In addition, our internal audit function provides regular updates to our Audit Committee on the results of our cybersecurity audits and related mitigation activities. In 2023, as part of our enterprise risk management update to our Board, our Vice President, Information Technology discussed risks and trends associated with information technology, including cyber-attacks, and current and future planned actions to mitigate such risks. In addition, in 2023, our Vice President, Information Technology reviewed with our Board updates related to our operational and resource readiness with respect to cyber incidents, our incident response processes and emerging cybersecurity risks. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors - We are subject to cybersecurity attacks, which could adversely impact our results of operations and financial position” in this annual report on Form 10-K.
Company Information
Name | MASCO CORP /DE/ |
CIK | 0000062996 |
SIC Description | Heating Equip, Except Elec & Warm Air; & Plumbing Fixtures |
Ticker | MAS - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |