MERCER INTERNATIONAL INC. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

MERCER INTERNATIONAL INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:34:17 EST.

Filings

10-K filed on 2025-02-20

MERCER INTERNATIONAL INC. filed a 10-K at 2025-02-20 16:34:17 EST
Accession Number: 0000950170-25-024217

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain comprehensive programs and technologies to ensure that our information systems are effective and prepared for data privacy and cybersecurity risks, including regular oversight of our security programs for monitoring internal and external threats to ensure the confidentiality and privacy of our data. As the volume and complexity of cyberattacks continue to evolve, we continue to enhance our security capabilities by continued investment in cyber technologies, further developing our internal cybersecurity personnel and educating our workforce regarding cybersecurity, and leveraging emerging technologies. Risk Management and Strategies We regularly perform evaluations of our security program and continue to implement controls aligned with industry guidelines to identify threats, detect attacks and protect data. Our risk management strategy is ( 46 ) focused on three areas: (i) technology, being our hardware and software systems; (ii) processes, being our cybersecurity reporting, testing and other processes; and (iii) people, which refers to our internal cybersecurity personnel, external service providers and individual training and human interaction within our information technology and cybersecurity processes. We seek to align our cybersecurity program with practices recommended under ISO 27001 and by the National Institute of Standards and Technology and the Center for Internet Security Critical Security Controls. When reviewing key third-party information technology service providers, our engagement process customarily includes, among other things, a review of such providers’ cybersecurity measures. Additionally, we use third-party data, such as Security Scorecard, to review and monitor such providers and as an indicator in respect of our cybersecurity environments. We periodically undertake cybersecurity audits or other independent assessments, the results of which are reported to our Audit Committee. We have also implemented security monitoring programs designed to alert us of any suspicious activity, and have developed an incident response program in the event of a security breach. We have also engaged a third-party vendor to, among other things, provide continuous monitoring and respond to cybersecurity events. We implement various training programs periodically to ensure that our employees and other personnel comply with internal processes and to enhance their cybersecurity awareness. Additionally, we have engaged third-party providers to supplement our response capabilities for both informational and operational technology incidents, as needed. As of the date of this filing, we have not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, there can be no assurance that we, or our third-party partners or service providers, will not experience a cybersecurity threat or incident in the future that could materially adversely affect our business strategy, results of operations, or financial condition. For further discussion of the risks related to cybersecurity, see also Item 1A. “Risk Factors - Risks Related to our Business - Failures or security breaches of our information technology systems could disrupt our operations and negatively impact our business”. Governance Our board of directors oversees our risk management processes and has tasked our Audit Committee with oversight of our cybersecurity and information governance, including periodically reviewing and discussing with management our risk exposures relating to data privacy and cybersecurity, and reviewing the steps we have taken to identify, assess, monitor, mitigate and manage such exposure and cybersecurity risks. At the management level, our Director of Cybersecurity is responsible for overseeing our cybersecurity processes and risk management, working together with our Chief Information Officer to implement our cybersecurity initiatives. Our Audit Committee and management meet with the Board on a quarterly basis to provide updates on cybersecurity risks, material cyberattacks and security incidents as they occur, as well as to promote company-wide cyber risk and security awareness. Additionally, our Chief Information Officer and Director of Cybersecurity meet periodically with the Board or the Audit Committee to brief them on technology and information security matters. Our Director of Cybersecurity is informed of cybersecurity incidents by applicable personnel, and oversees remediation efforts in accordance with our policies and processes. Our Chief Information Officer reports to our Audit Committee on significant incidents periodically. Our Chief Information Officer has over 30 years of technology leadership experience and is, among other things, a Certified Information Systems Security Professional and a Certified Secure Infrastructure Specialist. Our Director of Cybersecurity has over 20 years of experience as a cybersecurity and information technology professional. He has held various leadership positions where he developed, managed and implemented security programs and controls. He also holds, ( 47 ) among other information technology certifications, the Certified Information Systems Security Professional designation.

Company Information