JELD-WEN Holding, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

JELD-WEN Holding, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 17:02:36 EST.

Filings

10-K filed on 2025-02-20

JELD-WEN Holding, Inc. filed a 10-K at 2025-02-20 17:02:36 EST
Accession Number: 0001674335-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity Risk Management and Strategy We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats as part of our overall risk management system and processes. To that end, we regularly monitor the need and implementation of enhancements to security infrastructure, legacy system replacement, emerging technology risk assessment and security integration. Our cybersecurity risk management processes include the following: a. We leverage the NIST framework to help ensure the Company’s risk posture remains in alignment with the Company’s overall risk appetite. b. The Company utilizes policies, software, training programs, hardware solutions and managed services to protect and monitor our environment, including multifactor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, identity and access management systems, cloud security controls and monitoring, data backup and recovery systems and 24x7 security operations center. c. The Company’s approach to managing cybersecurity and digital risk is led by our CIO and CISO . Our CIO is supported by the Company at the highest levels and regularly engages with cross-functional teams at the Company, including Legal, Audit, Finance, Human Resources and Enterprise Risk Management. d. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident. Such insurance may be insufficient to cover all losses or all types of claims that may arise. e. Our cybersecurity team conducts routine cyber awareness training for professional associates using an independent third-party security training provider to educate best practices, policies and responsibilities pertaining to cybersecurity. We also conduct periodic simulated phishing tests to generate awareness and run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our practices, procedures and technologies. f. Our cybersecurity incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, communicate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. g. Our cybersecurity team regularly conducts tests of our information security environment and controls through vulnerability scanning, penetration testing and attack simulation testing. 32 Back to to p Additionally, our cybersecurity risk management processes include review and assessment by external, independent third parties, who assess the maturity of our cybersecurity program and identify areas for continued focus and improvement. Furthermore, our Legal Department advises the Board about best practices for cybersecurity oversight by the Board, and the evolution of that oversight over time. Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. Our cybersecurity team conducts third-party software security reviews for new software products being implemented into our production environments. We also have a third-party risk management process that regularly assesses and monitors risks, including cybersecurity, from vendors and suppliers. As of the date of this Form 10-K, we do not believe any risk from any cybersecurity threats or incidents have had, or are reasonably likely to have, a material impact on us; however, there is no guarantee that a future cybersecurity threat or incident will be detected and remediated to not have a material adverse impact on our business, results of operations and financial condition. Refer to Item 1A - Risk Factors of this Form 10-K for information on cybersecurity risks that may materially affect our business, results of operations and financial condition. Governance The cybersecurity risk management processes described above are led by our CIO and CISO , each having more than 25 years of information security experience. Our CIO reports to the CEO, and the CISO reports to the CIO. Our Board, Audit Committee, senior management and the Enterprise Risk Management Committee (a management committee of senior representatives from corporate functions and business lines) devote resources to cybersecurity and risk management processes. Cybersecurity and data governance risks are aligned with our overall Enterprise Risk Management process to help ensure potential cyber threats are identified, assessed and mitigated. Our top risks, such as cybersecurity, identified sub-risks and current and proposed mitigation strategies are reviewed regularly by the Enterprise Risk Management Committee. The Audit Committee is primarily responsible for the oversight of enterprise risk management and cybersecurity risks, including cybersecurity threats. To fulfill this responsibility, the Audit Committee receives periodic reports from the CIO and CISO. These reports include information regarding updates on cybersecurity initiatives, cybersecurity metrics, such as phishing results and attack volume metrics, results of any assessments performed by internal stakeholders or external third-party advisors and updates on cybersecurity trends and insights. The CIO and CISO provide a cybersecurity update to the full Board at least annually.

Company Information