GRIFFON CORP 10-K Cybersecurity GRC - 2024-11-13

Page last updated on November 13, 2024

GRIFFON CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-13 17:24:50 EST.

Filings

10-K filed on 2024-11-13

GRIFFON CORP filed a 10-K at 2024-11-13 17:24:50 EST
Accession Number: 0000050725-24-000152

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Griffon relies on electronic information systems, networks and technologies to conduct and support its operations and other functions and activities within the Company and with third parties. We rely on commercially available systems, software, tools, third-party service providers and monitoring to provide security for processing, transmission and storage of confidential information and data. We have an enterprise-grade cybersecurity management program designed to assess, identify, protect, detect and respond to, and manage material risks from cybersecurity threats. To protect our information systems from cybersecurity threats, we use various information technology and cybersecurity tools to safeguard our systems and data, which help prevent, identify, escalate, investigate, remediate, respond and recover from identified vulnerabilities and cybersecurity incidents. As part of the Company’s cybersecurity risk management program, we follow the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) to assess, identify and manage material risks that arise from cybersecurity threats. Griffon’s cybersecurity risk management program is closely tied to and integrated with the Company’s overall enterprise risk management processes. Griffon has a third-party risk management program regarding the cybersecurity practices of its vendors and partners that is designed to oversee, identify, and minimize material risks from cybersecurity threats associated with the use of such third parties. This program involves vetting of third parties before engagement. Regular monitoring and reviews are conducted to ensure third party vendors and partners comply with Griffon’s security standards. From time to time, Griffon engages external experts, including cybersecurity assessors, consultants, and/or auditors to evaluate cybersecurity measures and risk management processes. We also maintain a cyber incident response plan (“IRP”) with the objective of (1) providing a structured and systematic incident response process for cybersecurity threats that affect us, (2) timely and effectively identifying, resolving and communicating cybersecurity incidents, and (3) managing internal and external communications and reporting. If a cybersecurity incident occurs, our incident response team (“IRT”) is immediately notified, and Griffon management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Company. The IRT also coordinates further notifications, as applicable, to senior executives and organizational leadership, our Audit Committee and Board of Directors, business partners or service providers, and authorities. Like most organizations, we and our third-party service providers have experienced and expect to continue to experience actual or attempted cyber-attacks of our information systems and networks. During the reporting period, Griffon has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that we believe have materially 23 affected, or are reasonably likely to materially affect, us, including our business strategy, operating results, and financial condition. However, if any such event, whether actual or perceived, were to occur, it could have a material adverse effect on our business strategy, operating results and financial condition. We continuously use threat models and cyber threat intelligence to identify relevant risks to our businesses and take active measures to mitigate these risks. For more information regarding the risks we face from cybersecurity threats, see Item 1A., " Risk Factors " in this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our enterprise risk management processes and an area of focus for our Board of Directors and management. The Audit Committee assists the Board of Directors in its oversight of risks related to cybersecurity and directly oversees risk management relating to cybersecurity. The Audit Committee is also responsible for assessing the steps management has taken to monitor and control these risks and exposures, and evaluating guidelines and policies with respect to our cybersecurity risk assessment and risk management. The Audit Committee reviews our cybersecurity program with management and reports to the Board of Directors with respect to, and its review of, the program. Cybersecurity reviews by the Audit Committee generally occur at least annually, or more frequently as determined to be necessary or advisable. From time to time, third-party subject matter experts present to the Audit Committee on contemporary cybersecurity topics of interest. Griffon also has a Cybersecurity Management Committee, consisting of executives from Griffon and technology leaders from Griffon’s business segments, that monitors and assesses progress and performance by Griffon’s business segments in the area of cybersecurity; the results of such assessments are reported to the Audit Committee from time to time. The Chief Information Officers of each of HBP and CPP regularly provide updates on material cybersecurity risks to our senior management and to our Audit Committee, and along with their technology teams, are responsible for assessing and managing cybersecurity risks. Each of our business segment Chief Information Officers has over 20 years of experience in cybersecurity, information security, policy, architecture, engineering and incident response. 24

Company Information