AMERICAN WOODMARK CORP 10-K Cybersecurity GRC - 2024-06-26

Page last updated on July 16, 2024

AMERICAN WOODMARK CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-26 16:15:14 EDT.

Filings

10-K filed on 2024-06-26

AMERICAN WOODMARK CORP filed a 10-K at 2024-06-26 16:15:14 EDT
Accession Number: 0000794619-24-000057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our operations rely on both on-premises and cloud-hosted IT solutions for critical business processes such as compliance, reporting, marketing, e-commerce, operations, product development, manufacturing, distribution, data management, and stakeholder communication. Recognizing the paramount importance of cybersecurity in today’s digital landscape, we are committed to safeguarding our information assets, protecting consumer data, and maintaining the integrity and availability of our systems. To this end, we have implemented a comprehensive cybersecurity risk management framework designed to identify, assess, mitigate, and prevent potential cybersecurity risks, aligning with industry best practices and all applicable regulatory requirements. We evaluate our cybersecurity risk management framework against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST-CSF), which outlines the core components and responsibilities necessary to sustain a robust and well-balanced cybersecurity program. The foundation of our framework rests on these key principles: (i) risk assessment and threat intelligence gathering; (ii) implementing robust security controls; (iii) maintaining effective incident response capabilities; (iv) promoting employee awareness and providing cybersecurity training; and (v) managing third-party risks. We continue to integrate our cybersecurity framework into our overarching enterprise risk management processes, enabling us to capitalize on our extensive enterprise-wide experience in risk management and swiftly adapt to the ever-evolving cybersecurity threat landscape. Risk Assessment and Threat Intelligence: Under the oversight of the Chief Information Officer (CIO), we conduct periodic risk assessments to pinpoint potential cybersecurity vulnerabilities and threats. These assessments entail evaluating the security posture of critical systems, networks, and applications, as well as analyzing the potential impact of cybersecurity threats on our business operations, financial condition, and reputation. Additionally, we perform continuous threat monitoring and deployed monitoring systems, encompassing technologies such as intrusion detection systems, security information and event management tools, and threat intelligence programs. To ensure the effectiveness of our existing cybersecurity controls and processes, and identify areas for improvement based on the latest industry best practices, we regularly engage third-party consulting services to conduct independent audits and assessments. Additionally, we leverage external expertise to evaluate our cybersecurity and risk management strategy, review policies and procedures to address emerging risks, and maintain ongoing compliance with evolving legal and regulatory requirements. Security Controls: Our approach to cybersecurity employs a multi-layered strategy, implementing a range of technical administrative and physical controls to safeguard critical systems and data. These controls encompass (i) firewalls, intrusion detection, and prevention systems to monitor and block unauthorized access attempts, detect and prevent malicious activities, and protect network infrastructure; (ii) encryption, including secure protocols and multi-factor authentication, to secure information in transit and at rest; and (iii) a secure network architecture that segregates critical systems from the public internet, limiting exposure to potential threats. We also conduct regular security patching to mitigate emerging cyber threats proactively. Incident Response: We have implemented an incident response plan and playbook, encompassing procedures designed to respond to and recover from cybersecurity incidents. In collaboration with third-party security consultants, we conduct ongoing reviews and tabletop exercises of these procedures, which provide detailed descriptions of the roles and responsibilities of key stakeholders, as well as the protocols for communication and coordination during an incident. The procedures also outline guidelines for escalating incident information to our Cybersecurity Steering Committee, senior management, our Audit Committee (which, as discussed below, has been delegated the responsibility for our Board of Directors (the “Board”) cybersecurity risk oversight function), our full Board, and for providing timely public disclosure when necessary. 14 Employee Awareness and Training: Our employees play a pivotal role in maintaining a strong cybersecurity posture. Our Information Security Policy Framework outlines the requirements for employee conduct concerning company information and company-managed devices, encompassing relevant privacy, data security, and data retention policies. We believe our Information Security Policy Framework aligns with industry best practices and applicable legal and regulatory requirements. Complementing our Information Security Policy Framework, we conduct regular cybersecurity training campaigns that emphasize the importance of cybersecurity awareness. These campaigns address relevant cybersecurity topics, such as common cybersecurity threats, phishing awareness, and best practices for safeguarding sensitive information. Employees are held accountable for completing all assigned cybersecurity programs and meeting certain performance thresholds in phishing awareness and testing exercises. Third-Party Risk Management: We recognize the potential cybersecurity risks inherent in our relationships with third parties. To address this, we have implemented a comprehensive third-party risk management program designed to identify and oversee such risks. This program relies on key elements, including risk assessment, due diligence, contractual provisions, and ongoing monitoring, to identify and mitigate impacts from high-risk third parties and specific risks. We utilize security risk assessment questionnaire tools to identify high-risk third parties, enabling us to proactively and effectively assess and mitigate potential security vulnerabilities. Governance Our Board dedicates time and attention to our cybersecurity and information technology risks. The Board executes its cybersecurity risk oversight function collectively and by delegating responsibility to our Audit Committee. Our CIO presents to the Board at least annually and to our Audit Committee at least quarterly, covering a broad range of topics, such as recent and potential cybersecurity threats and incidents across our industry, best practices and policies, emerging trends, vulnerability assessments, and management’s ongoing efforts to prevent, detect, and address internal and external cybersecurity threats specific to our organization. These briefings also include periodic third-party cybersecurity program assessments, benchmarks, and updates from our cybersecurity incident management exercises. Cybersecurity risks are documented and shared with our Audit Committee and the Board quarterly. While our Board and Audit Committee oversees cybersecurity risk, senior management is responsible for actively managing cybersecurity risk, including overseeing and executing the risk management strategies discussed above. Senior management reports to the Board semi-annually on our enterprise risk management processes, ensuring transparency and accountability. Additionally, our Cybersecurity Steering Committee is co-chaired by our CIO and Cybersecurity, Governance Risk and Compliance manager along with other key leaders, including the Chief Human Resources Officer, Vice President of Finance, Corporate Controller, Senior Corporate Risk Manager, Director of Enterprise Infrastructure and Senior Director of Internal Audit, all overseeing the management of key cybersecurity risks and strategy for the organization. The Cybersecurity Steering Committee meets and receives bi-monthly updates, which provide ongoing visibility into cybersecurity risks and mitigation efforts. Through this robust governance structure, involving Board oversight, senior management leadership, and a cross-functional committee, we maintain a proactive and comprehensive approach to managing cybersecurity risks across the organization. As of the date of this filing, we are not aware of any current cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business, results of operations or financial condition. For further discussion of the risks related to cybersecurity, see Item 1A. Risk Factors.

Company Information