AZEK Co Inc. 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

AZEK Co Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 12:41:00 EST.

Filings

10-K filed on 2024-11-20

AZEK Co Inc. filed a 10-K at 2024-11-20 12:41:00 EST
Accession Number: 0001628280-24-048629

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity continues to be a particularly acute area of risk for companies of all sizes and in all industries, including us. Our management and board of directors recognize the importance of developing, implementing, and maintaining appropriate cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Both management and our board of directors are actively involved in our enterprise risk management, and cybersecurity represents an important component of our overall approach to enterprise risk. Cybersecurity Risk While we have not experienced a material impact on our business strategy, results of operations or financial condition resulting from cybersecurity threats or previous cybersecurity incidents, such events have the potential to have a material adverse effect on our business strategy, results of operations and financial condition, including by damaging or interrupting access to our information systems or networks, compromising confidential or otherwise protected information, destroying or corrupting data, or otherwise disrupting our operations. Such events could also damage our reputation and our competitive position and could result in litigation with third parties, regulatory action, loss of business, potential liability and increased remediation costs, any of which could have a material adverse effect on our financial condition and results of operations. Such security breaches could also result in a violation of applicable U.S. and international privacy and other laws, which could have a material adverse effect on our business, results of operations and financial position. We expect risks from cybersecurity threats, including, but not limited to, security breaches, viruses, malware, ransomware attacks, other cyber-attacks, or other similar threats, to continue as events of this nature become more sophisticated and potentially more frequent, and the techniques used in such attacks change rapidly. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors, which should be read in conjunction with the foregoing information. Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management program that is an important and integrated part of our enterprise risk management function and is designed to assess, identify, manage and protect our information systems and data from unauthorized access, use, disclosure, disruption, modification or destruction. Our program is based on applicable industry frameworks and standards, including those provided by the National Institute of Standards and Technology cybersecurity framework, or the NIST Framework. Our cybersecurity risk management process is integrated into our overall risk management process, and shares common methodologies, reporting channels and governance processes that apply across the risk management process to other legal, compliance, strategic, operational and financial risk areas. We deploy a number of safeguards and processes designed to identify cybersecurity risks and protect our information systems from cybersecurity threats. For example, we maintain data encryption, monitoring, data storage, identity / authentication controls, including two-factor authentication tools, and anti-malware and anti-virus solutions. Additionally, for providers of software-as-a-service and other services that hold or process our data, we review and assesses industry standard certifications provided by such third-party service providers. We perform periodic penetration tests to identify and address vulnerabilities and perform cyber simulations to practice our cybersecurity incident response procedures. We train employees on cybersecurity risks at least semi-annually and generate internal phishing campaigns to assess the effectiveness of the training. We also maintain written information technology and cybersecurity policies that are reviewed regularly and are available to employees on demand. In addition to internal resources and expertise across our information technology, internal legal and compliance and internal audit teams, we use a variety of industry standard security products and consultants and other third-party service providers to inform our understanding of the threat landscape and to assist us with protecting our technology infrastructure and data. Such security products cover data security, application security, endpoint security, and other security functions. We utilize third-party service providers to assist with the construction and maintenance of such defense system, as well as for assistance with respect to threat identification, response and, if necessary, remediation. We also engage third-party cybersecurity experts to conduct tabletop exercises to enhance incident response preparedness. To the extent cybersecurity risks are identified, they are responded to by our cybersecurity team. Cybersecurity incidents are managed, evaluated, investigated, and responded to in accordance with our documented Cyber Incident Response Plan. Cybersecurity Governance While management is responsible for our cybersecurity program and managing our cybersecurity risks, including our procedures and day-to-day operations, our audit committee oversees our enterprise risk assessment and management program, which includes oversight of cybersecurity risks. In performing its oversight responsibilities, our audit committee receives regular reports from, and meets with, our cybersecurity leaders at least semi-annually, to review our information technology and cybersecurity risk profile and to discuss our efforts to prevent, detect, mitigate, and remediate cybersecurity incidents. Our audit committee, in turn, regularly reports to the full board of directors regarding such oversight. When assessing audit committee membership, our board of directors considers each member’s information technology and cybersecurity expertise. Our Cyber Incident Response Plan includes protocols under which cyber-related incidents are required to be escalated to senior management and to the audit committee, with ongoing updates regarding any such incident until it has been addressed. In addition to the above, we recently hired a Chief Digital and Technology Officer to oversee all aspects of our technology system infrastructure and processes and manage our team of internal information technology experts, including our Chief Information Officer. The Chief Digital and Technology Officer is supported by a management-level committee and an experienced cybersecurity team that support our processes to assess and manage cybersecurity risk. Each of our Chief Digital and Technology Officer and our Chief Information Officer has over 25 years of information technology experience, primarily in the manufacturing and consumer goods industries. Our Chief Information Officer also has a degree in Management Information Systems, and both our Chief Digital and Technology Officer and our Chief Information Officer have a Masters of Business Administration. We also currently engage a third-party consultant who reports directly to our Chief Information Officer and provides Chief Information Security Officer, or CISO, advisory services. This consultant has approximately 15 years of experience serving in cybersecurity leadership positions, including as a CISO at other U.S. publicly traded manufacturing companies.

Company Information