MasterBrand, Inc. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

MasterBrand, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:30:12 EST.

Filings

10-K filed on 2025-02-19

MasterBrand, Inc. filed a 10-K at 2025-02-19 16:30:12 EST
Accession Number: 0001941365-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have developed our cybersecurity program to protect the assets used to create products, generate revenue, and service customers while complying with industry frameworks. We are also committed to protecting the confidentiality and integrity of our data, as well as the data of our associates and customers. Our cybersecurity program consists of key pillars focused on: risk management and cyber defense, as well as governance and compliance. Each of these pillars consists of controls and processes that are aligned with the National Institute of Standards and Technology (“NIST”) Cyber Security Framework. Managing cybersecurity risk and maintaining a secure, reliable and functional corporate network and data systems are among our highest priorities. As a result, we have implemented practices, procedures, processes and governance mechanisms to help us achieve a robust cybersecurity environment. Risk Management and Strategy Cybersecurity risk management is a critical component of our overall enterprise risk management program. We consider cybersecurity to be a key risk, and we prioritize risks related to cybersecurity matters. Risk Assessment and Identification Our cyber defense practices prioritize protection against cybersecurity threats. We have operationalized a written incident response plan designed to assess, identify, address and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity and availability of our business and information systems. We use a threat intelligence platform to routinely monitor risks specific to both our organization and third parties. Our incident response playbook and processes are maintained within the cyber defense program and used to keep personnel trained. Penetration tests are conducted periodically to validate cyber defense control effectiveness. We have also established cybersecurity taxonomy and operational parameters for our company. These parameters include acceptable technology and data use, data privacy, access controls, third-party governance and disaster recovery. Vulnerability management is also a key focus of our cybersecurity program, which consists of identifying and assessing vulnerabilities and taking appropriate action to manage risk. We routinely review our controls and technology use against our policies and assess our cybersecurity program against the NIST Cyber Security Framework. We have implemented a number of measures to enhance the security and resiliency of our network and information and data systems. These measures include, but are not limited to: (i) user access control management; (ii) intrusion detection and prevention systems; (iii) information security continuity measures, including redundant systems and information backups; (iv) network segmentation; (v) encryption of critical information and data; (vi) event logging; (vii) implementation of an application patching and update cadence; and (viii) incident response planning. We perform periodic cybersecurity assessments, including with the assistance of external third parties, to identify, assess and prioritize potential risks that could affect our information and data assets and infrastructure. Risks we identify are assessed based on severity and are addressed as appropriate through both tactical and strategic plans. Risk and security maturity assessments, as well as penetration assessments, are performed as part of our cybersecurity program. Third Party Risk Management We have a process in place to oversee our third-party vendors who have access to our information systems or who hold or store personal information on our behalf. We use a variety of methods and tools to assess such third-party vendors’ controls related to cybersecurity threats, including obtaining proof of a vendor’s testing of data protection controls, imposition of contractual obligations and reviews of data protection controls such as backups, encryption standards and disaster recovery. Our information technology and vendor risk management functions assess such third-party vendors as part of the initial determination process and then periodically thereafter. Training and Awareness Our associates are a critical part of our defense against potential cybersecurity incident exposure. All of our associates have a responsibility and a role to play by complying with our cybersecurity operational practices and reporting any potential cybersecurity incidents or exposures to our cybersecurity team. All applicable associates receive cybersecurity training in the form of online modules on an annual basis, routine simulations and newsletters. Material Cybersecurity Risks, Threats & Incidents As of the date of this Annual Report on Form 10-K, we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that we believe have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations, or financial condition. We cannot assure you that we will not experience any such threats or incidents in the future. Any security breach or other significant disruption involving our computer networks and related systems could cause substantial costs and other negative effects, including litigation, remediation costs, costs to deploy additional protection strategies, compromising of confidential information and reputational damage adversely affecting investor confidence. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See Item 1A. Risk Factors for further details on risks related to potential breaches of our information technology systems. Governance The Audit Committee assists the Board in its oversight of our enterprise risk management program. The Audit Committee reviews our strategies, policies and internal controls relating to information technology, data privacy, data protection and cybersecurity. The Audit Committee’s review includes our plans to mitigate cybersecurity risks and to respond to data breaches. Broad oversight is maintained by our full Board. Our Executive Vice President and Chief Digital and Technology Officer (“CDTO”) is responsible for the oversight of our information security strategy and cybersecurity program. Our CDTO has over 20 years of information technology experience, leading the development of a multi-year information technology strategy, including cross-functional information technology transformation and digital innovation initiatives. Our Vice President, Cyber Security and Risk, who reports directly to the CDTO, is responsible for day-to-day assessment and management of our cybersecurity matters and has over 20 years of experience in enterprise risk management, governance and compliance, defending against cyber threats and is a Certified Information Security Services Professional (“CISSP”). Our Vice President, Cyber Security and Risk oversees a cybersecurity team that focuses on the execution of our cybersecurity program, including cyber defense, as well as risk and compliance matters. The cybersecurity team receives timely notifications about cybersecurity threats via the threat intelligence platform used by the company. In addition, this team leverages third-party security service and threat intelligence partners to operate and maintain our cyber defense program, to stay current on cybersecurity risks and to assess various areas of our operations. Our Vice President, Cyber Security and Risk regularly provides updates on material cybersecurity risks to our CDTO and other members of senior management and provides reports to both the Audit Committee and the Board at least once a year, or more frequently as needed. The Audit Committee reviews and discusses with our management key process and risk indicators, progress on plans to address keys risks, and any material changes in threat landscapes or risk posture which could negatively affect our business.

Company Information