POTLATCHDELTIC CORP 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

POTLATCHDELTIC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 14:30:27 EST.

Filings

10-K filed on 2025-02-13

POTLATCHDELTIC CORP filed a 10-K at 2025-02-13 14:30:27 EST
Accession Number: 0000950170-25-019711

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity below for more information about our cybersecurity programs. Our new integrated enterprise resource planning systems (ERP) may not perform as intended. During 2024, we completed the implementation of new integrated ERP systems that replaced certain components of our existing operating and financial systems. The new ERP systems are critical to our ability to provide accurate and timely operating and financial information to our management, track purchases from and payments to our vendors, and accurately maintain our financial records. We have invested significant resources in the planning and project management of the system implementations. Implementation of new IT systems, including replacement of legacy systems with new or upgraded versions, could also pose a significant risk to our business, as any such implementation can involve system failure, reliance on third party software providers, potential loss or corruption of our important data, security or internal control failures, delays, cost overruns and operational disruption. Any disruptions, delays or deficiencies in the ongoing maintenance of the new ERP systems could adversely affect our ability to operate our business, accurately maintain books and records or otherwise timely file our financial statements with the SEC. Additionally, if the new ERP systems are not designed or implemented properly or if they do not operate as intended, the effectiveness of our internal control over financial reporting could be adversely affected or our ability to assess it adequately could be delayed. We may be unsuccessful in carrying out our acquisition strategy. Our real property holdings are primarily timberlands, and we may make additional timberlands and other forest products asset acquisitions in the future. We intend to strategically pursue acquisitions and strategic divestitures when market conditions warrant. The markets for timberland and forest products assets are highly competitive given how infrequently such assets become available for purchase. As a result, many real estate investors have built up their cash positions and face aggressive competition to purchase quality timberland assets. A significant number of entities and resources competing for high-quality timberland properties support relatively high acquisition prices for such properties, which may reduce the number of acquisition opportunities available to, or affordable for, us. As with any investment, our acquisitions may not perform in accordance with our expectations, including achieving expected returns on the investment, revenue growth, cost savings, synergies, business opportunities and growth prospects. In addition, we anticipate financing such acquisitions through cash from operations, borrowings under our unsecured credit facilities, proceeds from equity or debt offerings or proceeds from strategic asset dispositions, or any combination thereof. The failure to identify, complete and successfully integrate acquisitions into our operations could adversely affect our operating results, cash flows, financial condition and the market price of our common stock. Additionally, our inability to finance future acquisitions on favorable terms, or at all, could adversely affect our ability to successfully execute strategic acquisitions and thereby adversely affect our results of operations. Our financial condition and results of operations may be materially adversely affected by a global health crisis such as coronavirus (COVID-19). We face risks related to public health epidemics and other outbreaks, including the global outbreak of a novel strain of COVID-19 and its variants. We, our suppliers, contractors and customers modified business practices for the continued health and safety of our employees during the COVID-19 pandemic. If a resurgence of COVID-19 or another severe global health crisis occurs, we or our suppliers, contractors, customers and others may be restricted or prevented from conducting business activities for indefinite or intermittent periods of time, including as a result of employee health and safety concerns, shutdowns, supply chain disruptions, shelter in place orders, travel restrictions and other actions and restrictions that may be prudent or required by governmental authorities. The full extent to which a global health crisis could impact our business and operating results depends on future developments that are highly uncertain and cannot be accurately predicted and may also trigger the occurrence of, or exacerbate, other risks discussed herein, any of which could have a material adverse effect on our business, results of operation, cash flows and financial condition. Our defined benefit pension plans are currently underfunded. We have a qualified defined benefit pension plan covering certain of our current and former employees which, at December 31, 2024, was 85.2% funded. Future actions involving our qualified and unqualified defined benefit and other postretirement plans, such as annuity buyouts and lump-sum payouts, could cause us to incur significant pension and postretirement settlement and curtailment charges and may require significant cash contributions to maintain a legally required funded status. The measurement of the pension benefit obligation, determination of pension plan net periodic costs and the requirements for funding our pension plans are based on a number of actuarial assumptions, including the expected rate of return on plan assets and the discount rate applied to the pension obligation. Changes in plan asset returns and long-term interest rates could increase our costs under our defined benefit pension plans and may significantly affect future contribution requirements. It is unknown what the actual investment return on our pension assets will be in future years and what interest rates may be at any given point in time. We cannot therefore provide any assurance of what our actual pension plan costs will be in the future, or if we will be required under applicable law to make future material plan contributions. See Note 15: Savings Plans, Pension Plans and Other Postretirement Employee Benefits in the Notes to Consolidated Financial Statements for additional information regarding these plans. A strike or other work stoppage, or our inability to renew collective bargaining agreements timely and on favorable terms, could adversely affect our financial results. Certain employees at one of our sawmills, representing approximately 13% of our total workforce, are covered under a collective bargaining agreement that expires in 2026. If our unionized workers were to engage in a strike or other work stoppage, or other non-unionized operations were to become unionized, we could experience a significant disruption of operations at our facilities or higher ongoing labor costs. A strike or other work stoppage in the facilities of any of our major customers or suppliers could also have similar effects on us. ITEM 1B. UNRE SOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy We understand the importance of identifying, assessing, and managing risks related to cybersecurity threats and data protection. We acknowledge the potential adverse effects of cybersecurity incidents on our business. As part of our enterprise risk management program, cybersecurity risks are evaluated alongside other company risks within the broader risk assessment process. Our data security plan incorporates a specialized cybersecurity risk assessment process, which helps us identify potential risks by benchmarking our procedures against National Institute of Standards and Technology (NIST) standards and engaging third-party experts to test the security of our information systems . Key aspects of our risk management program include: - Monitoring Regulatory Changes: We monitor emerging data protection laws and, if necessary, implement changes to our policies and employee training processes. - Cybersecurity Policy Reviews: We regularly review and update (when applicable) our policies and procedures related to cybersecurity. - Security Tools and Response Exercises: We use various tools, such as network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to assist in risk identification and assessment. We then use these findings (where applicable) to enhance our processes and technologies. - Employee Training: We conduct annual cybersecurity awareness training for all employees with computer access, as well as specific training for those who handle sensitive data or are involved in cybersecurity management. - Expert Collaboration: We work with third-party subject matter experts to assess cybersecurity threats, their severity, and potential mitigation strategies. - Safeguard Third-Party Data: Through policy, practice, and contracts (as applicable), we require employees, as well as third parties providing services on our behalf, to treat customer information and data with care. - Use of Third-Party Service Providers: As cybersecurity considerations affect the selection and oversight of our third-party service providers, we also conduct pre-engagement assessments for third-party providers based on the sensitivity of the data they handle, and annually review SOC 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing company or employee data. - Phishing Simulations: Regular phishing simulations help employees recognize and respond to potential email threats, with additional training provided, as necessary - NIST Framework: We leverage the NIST incident handling framework to guide our responses to actual or potential cybersecurity incidents, covering identification, protection, detection, response, and recovery. Cybersecurity Incident Response Process Our incident response plan outlines the steps we take to prepare for, detect, respond to, and recover from cybersecurity incidents. This process includes assessing severity, escalating, containing, investigating, and remediating incidents, while ensuring compliance with applicable legal obligations and protecting our brand reputation. As part of this process, we regularly engage with third-party assessors and consultants to review and improve our cybersecurity program, focusing on compliance and areas for improvement. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity specific risk identification program, both of which are discussed above. Oversight of Cybersecurity Risk Our cybersecurity risk management strategy is led by the Information Technology Director (IT Director) and the Director of Information Security (IS Director). Our IS Director has over eleven years of experience managing information security, developing cybersecurity strategy and implementing relevant and effective cybersecurity programs. Together, our IT Director and IS Director hold numerous credentials, including a Bachelor of Science in Cybersecurity & Information Assurance. Both have extensive experience in cybersecurity management with credentials including CISSP, CCSP, GIAC, GCFA, GCIH, and others. The IT Director reports directly to the Chief Financial Officer, ensuring timely notification of significant cybersecurity incidents to the senior management team. The management team and the enterprise risk committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. The enterprise risk committee, which includes the Chief Financial Officer, IT Director as well as other members of senior management , review cybersecurity risk management as a component of our overall enterprise risk management. The audit committee of the board of directors is responsible for the oversight of the company’s enterprise risk management program. The audit committee’s oversight includes reviewing and discussing with management (at least annually) management’s report on assessment of risk exposure and risk management, the processes in place to identify and manage significant risks, steps taken by management to control or mitigate such exposures, and management’s report on cybersecurity risk management, which includes strategies to mitigate data protection and cybersecurity risks. Additionally, the IT Director reports at least annually to the audit committee on cybersecurity threat risks, and our Chief Executive Officer reports regularly to the chair of our board of directors, and the full board of directors, as appropriate, about emerging threats to our operations, both at scheduled board meetings and through communications between board meetings. Pursuant to the company’s incident response plan, if a significant cybersecurity incident occurs that may have a material effect on the company’s business or its financial statements, management will discuss the incident and management’s mitigation and remediation plan for such incident with the audit committee. As of the date of this report, we have not identified any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, financial results, or long-term financial condition. For more information on cybersecurity risks, see the risk factor entitled “Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information, and adversely impact our reputation and results of operations” in Part I - Item 1. Business, Item 1A. Risk Factors contained in this report.
ITEM 1C. CYBERSECURITY Risk Management and Strategy We understand the importance of identifying, assessing, and managing risks related to cybersecurity threats and data protection. We acknowledge the potential adverse effects of cybersecurity incidents on our business. As part of our enterprise risk management program, cybersecurity risks are evaluated alongside other company risks within the broader risk assessment process. Our data security plan incorporates a specialized cybersecurity risk assessment process, which helps us identify potential risks by benchmarking our procedures against National Institute of Standards and Technology (NIST) standards and engaging third-party experts to test the security of our information systems . Key aspects of our risk management program include: - Monitoring Regulatory Changes: We monitor emerging data protection laws and, if necessary, implement changes to our policies and employee training processes. - Cybersecurity Policy Reviews: We regularly review and update (when applicable) our policies and procedures related to cybersecurity. - Security Tools and Response Exercises: We use various tools, such as network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to assist in risk identification and assessment. We then use these findings (where applicable) to enhance our processes and technologies. - Employee Training: We conduct annual cybersecurity awareness training for all employees with computer access, as well as specific training for those who handle sensitive data or are involved in cybersecurity management. - Expert Collaboration: We work with third-party subject matter experts to assess cybersecurity threats, their severity, and potential mitigation strategies. - Safeguard Third-Party Data: Through policy, practice, and contracts (as applicable), we require employees, as well as third parties providing services on our behalf, to treat customer information and data with care. - Use of Third-Party Service Providers: As cybersecurity considerations affect the selection and oversight of our third-party service providers, we also conduct pre-engagement assessments for third-party providers based on the sensitivity of the data they handle, and annually review SOC 1 or 2 reports for certain outsourced service providers whose systems are utilized in processing company or employee data. - Phishing Simulations: Regular phishing simulations help employees recognize and respond to potential email threats, with additional training provided, as necessary - NIST Framework: We leverage the NIST incident handling framework to guide our responses to actual or potential cybersecurity incidents, covering identification, protection, detection, response, and recovery. Cybersecurity Incident Response Process Our incident response plan outlines the steps we take to prepare for, detect, respond to, and recover from cybersecurity incidents. This process includes assessing severity, escalating, containing, investigating, and remediating incidents, while ensuring compliance with applicable legal obligations and protecting our brand reputation. As part of this process, we regularly engage with third-party assessors and consultants to review and improve our cybersecurity program, focusing on compliance and areas for improvement. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity specific risk identification program, both of which are discussed above. Oversight of Cybersecurity Risk Our cybersecurity risk management strategy is led by the Information Technology Director (IT Director) and the Director of Information Security (IS Director). Our IS Director has over eleven years of experience managing information security, developing cybersecurity strategy and implementing relevant and effective cybersecurity programs. Together, our IT Director and IS Director hold numerous credentials, including a Bachelor of Science in Cybersecurity & Information Assurance. Both have extensive experience in cybersecurity management with credentials including CISSP, CCSP, GIAC, GCFA, GCIH, and others. The IT Director reports directly to the Chief Financial Officer, ensuring timely notification of significant cybersecurity incidents to the senior management team. The management team and the enterprise risk committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. The enterprise risk committee, which includes the Chief Financial Officer, IT Director as well as other members of senior management , review cybersecurity risk management as a component of our overall enterprise risk management. The audit committee of the board of directors is responsible for the oversight of the company’s enterprise risk management program. The audit committee’s oversight includes reviewing and discussing with management (at least annually) management’s report on assessment of risk exposure and risk management, the processes in place to identify and manage significant risks, steps taken by management to control or mitigate such exposures, and management’s report on cybersecurity risk management, which includes strategies to mitigate data protection and cybersecurity risks. Additionally, the IT Director reports at least annually to the audit committee on cybersecurity threat risks, and our Chief Executive Officer reports regularly to the chair of our board of directors, and the full board of directors, as appropriate, about emerging threats to our operations, both at scheduled board meetings and through communications between board meetings. Pursuant to the company’s incident response plan, if a significant cybersecurity incident occurs that may have a material effect on the company’s business or its financial statements, management will discuss the incident and management’s mitigation and remediation plan for such incident with the audit committee. As of the date of this report, we have not identified any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, financial results, or long-term financial condition. For more information on cybersecurity risks, see the risk factor entitled “Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information, and adversely impact our reputation and results of operations” in Part I - Item 1. Business, Item 1A. Risk Factors contained in this report.

Company Information