RADIUS RECYCLING, INC. 10-K Cybersecurity GRC - 2024-10-24

Page last updated on October 24, 2024

RADIUS RECYCLING, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-24 15:06:54 EDT.

Filings

10-K filed on 2024-10-24

RADIUS RECYCLING, INC. filed a 10-K at 2024-10-24 15:06:54 EDT
Accession Number: 0000950170-24-117007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy Our cybersecurity program has been designed to protect our organization’s sensitive information, mitigate cyber threats, and ensure our critical assets’ confidentiality, integrity, and availability even as the threat landscape evolves. This is accomplished by a layered security approach through implementing security measures across various levels of our people, systems, and infrastructure with leading-edge cybersecurity tools combined with a 24/7 Security Operations Center and advanced vulnerability and incident management capabilities. Our safeguards also include employee training and awareness programs around phishing, malware, and other cybersecurity risks. Cybersecurity is recognized as a top enterprise risk and the IT Risk Management (“ITRM”) program is an integral component of our enterprise risk management (“ERM”) program. Protection of the Company’s informational assets is managed by a comprehensive, multi-layer strategy, modeled on the National Institute of Standards and Technology (“NIST”) cybersecurity framework, and combines technology, services, policies, and user education to mitigate cyber risks. We have instituted Acceptable Use, Information Security, and Vendor Risk policies and procedures, which support our efforts to protect employees and contractors, while ensuring that we partner with responsible vendors who also invest in effective cybersecurity practices. Where appropriate, we engage external experts in different capacities to assist in our assessment, identification, and management of risks from cybersecurity threats. Our relationships with these external partners enable us to leverage their expertise to continually strengthen our programs and procedures. Our ITRM program also includes processes to identify, assess and oversee risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In the event of a cybersecurity incident, we have an established incident response plan that requires prompt notification of the CEO and the Information Security and Privacy Executive Committee (“ISPEC”). The CEO and the ISPEC oversee the process for assessing the impacts of incidents, monitoring our mitigation and remediation efforts, and complying with any relevant laws and regulations. To date, we have not identified any material risks from cybersecurity threats, including as a result of any cybersecurity incident, which have materially affected, or are reasonably likely to materially affect, us, our business strategy, our results of operations, or our financial condition. As discussed more fully under “Item 1A. Risk Factors”, the sophistication of cyber threats continues to increase, and the preventative actions the Company takes to reduce the risk of cyber incidents and protect its systems and information may be insufficient. See “Item 1A. Risk Factors, One or more cybersecurity incidents may adversely impact our financial condition, results of operations, and reputation” above for more information. Governance Our Board of Directors has overall oversight responsibility for our ERM program, including oversight of cybersecurity risk management. The Board administers its risk oversight function through the full Board and its standing committees. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks and implement processes and programs to manage such risks and mitigate cybersecurity incidents. Management, including the Chief Information Officer (“CIO”), updates the Audit Committee on at least an annual basis regarding our cybersecurity programs and material cybersecurity risks and mitigation strategies. In addition, we have a standardized incident response process that establishes procedures for timely escalation and notification to the ISPEC and other members of senior management. Our CIO, with oversight by the ISPEC, is responsible for managing the Company’s digital infrastructure, systems, and services and ensuring the confidentiality, integrity, and availability of information stored and processed using those systems. Our CIO has more than 30 years of IT and cybersecurity experience and oversees a team of dedicated cybersecurity personnel with various experience and certifications in information security and cybersecurity. Our internal compliance organization, through its involvement in the ISPEC, the Enterprise Compliance Counsel (“ECC”) and Internal Audit Department, works closely with our cybersecurity team in assessing and managing our cybersecurity risk. The ISPEC provides comprehensive strategic guidance, coordination, and oversight of the Company’s information security and privacy programs and governance, including the Cybersecurity Program, Data Privacy Program, Information Technology Policies, and data breach and cyber incident testing, plans, and operational response. The ISPEC meets quarterly and is co-chaired by the CIO and Assistant General Counsel, Legal, Chief Privacy Officer and Deputy Chief Compliance Officer. The ECC oversees key risk areas, which include IT and Cyber. The CIO is a key risk owner for the IT and cybersecurity domain and works with the ECC to effectively mitigate compliance risk within our functional regulatory area. This council meets quarterly and is chaired by the SVP General Counsel & Chief Compliance Officer and Assistant General Counsel, Legal, Chief Privacy Officer and Deputy Chief Compliance Officer. 26 / Radius Recycling, Inc. Form 10-K Fiscal RADIUS RECYCLING, INC.

Company Information