COMMERCIAL METALS Co 10-K Cybersecurity GRC - 2024-10-17

Page last updated on October 17, 2024

COMMERCIAL METALS Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-17 11:55:32 EDT.

Filings

10-K filed on 2024-10-17

COMMERCIAL METALS Co filed a 10-K at 2024-10-17 11:55:32 EDT
Accession Number: 0000022444-24-000140

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy CMC has established a comprehensive cybersecurity risk management program to identify, assess and manage material risks from cybersecurity threats to our computer systems, outsourced services, communications systems, industrial processing equipment, hardware and software, and to safeguard our data and our customers’ data. Our risk management program includes a documented cybersecurity incident response plan and a data breach response plan (the “response plans”) that outline how to respond to and contain incidents and data breaches. Additionally, we maintain a cybersecurity incident disclosure and evaluation plan (the “disclosure plan”) which would be used to assess the impact of a cybersecurity incident and promptly issue required SEC disclosures if needed. The response plans and disclosure plan are adapted depending on the type of incident or data breach and are tested at least once per year. We use the National Institute of Standards and Technology Cybersecurity Framework to guide our risk management program and utilize third parties to regularly review our response plans. CMC recognizes the critical importance of a well-developed cybersecurity risk management program within an ever -changing threat landscape and has designed ongoing cybersecurity management protocols that are embedded into our global business processes and activities. These protocols include, but are not limited to, penetration testing, vulnerability scanning, attack simulations and appropriate internal controls, along with independent third-party audits conducted to evaluate compliance with security standards and best practices. The protocols are designed by our Chief Information Security Officer (“CISO”) and implemented by an experienced team including our information security and various technology departments. We engage expert consultants and third-party service providers to review our cybersecurity controls and readiness, alert us to potential improvements and provide incremental industry knowledge and expertise. Additionally, employees are required to complete cybersecurity training at the start of their employment and annually thereafter and are regularly exposed to phishing awareness campaigns that simulate real-world threats. Our cybersecurity risk management program also addresses cybersecurity risks associated with our use of third-party service providers and our vendors. We proactively manage these risks by reviewing current and prospective third-party service providers’ compliance with our established relevant privacy and data security standards. We also require our key vendors to complete security questionnaires and we conduct audits and vulnerability scans related to them. Depending on the nature of the services provided and the sensitivity of the relevant data involved, our service provider and vendor management processes may involve different levels of assessment and impose additional obligations related to cybersecurity on the service provider or vendor. While previous cybersecurity incidents and threats have not materially adversely affected our business strategy, results of operations or financial condition to date, any actual or perceived breach of our security could damage our reputation or subject us to third-party lawsuits, regulatory investigations and fines or other actions or liabilities, any of which could materially adversely affect our business strategy, results of operations, or financial condition. See Item 1A, Risk Factors, “Information technology interruptions and breaches in data security could adversely impact our business, results of operations and financial condition” for more information. Governance Both management and our Board understand that cybersecurity is crucial for securing our data and operations and defending the interests of our stakeholders. Our Board considers cybersecurity risk management as part of its general oversight function and receives an annual update on cybersecurity matters. The audit committee of our Board oversees management’s process for identifying and mitigating cybersecurity threats and implementing the cybersecurity risk management processes described above. On a quarterly basis, our Vice President and Chief Information Officer (“CIO”) and CISO update the audit committee regarding cybersecurity management initiatives, the status of ongoing cybersecurity threats CMC faces and other developments regarding our cybersecurity management protocols. Our CISO has many years of experience in creating and implementing cybersecurity risk management programs and using cybersecurity management technologies and infrastructure solutions. Our CISO works under the supervision of our CIO, who has extensive experience in information technology and cybersecurity functions. Both the CISO and the CIO have daily responsibility for cybersecurity risk management and establishing risk management practices, and are involved in the execution of the response plans described above when a possible cybersecurity incident occurs. We engage a third-party service provider on a bi-annual basis to evaluate our cybersecurity risk management program and perform health checks on key applications. We also complete annual penetration testing to test our defenses against potential threats or risks. 22 The response plans referenced above define a cross-functional cyber incident response team (the “CIRT”) that includes members of senior management, including the CISO and CIO, among other skilled employees. The CIRT plays an important role in the detection, mitigation, and remediation of cybersecurity incidents and in informing relevant members of management and the audit committee on cybersecurity threats and events. Select members of the CIRT actively participate in regular technical readiness exercises. Moreover, our executive officers participate in annual crisis tabletop exercises and attack simulations to prepare for a swift, effective, and thorough response to a potential cybersecurity incident. 23

Company Information