TREX CO INC 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

TREX CO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 17:10:27 EST.

Filings

10-K filed on 2025-02-24

TREX CO INC filed a 10-K at 2025-02-24 17:10:27 EST
Accession Number: 0000950170-25-025780

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Cybersecurity Risk Management The Company has systems and processes for identification, assessment, and management of material risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. The Company’s multi-faceted approach includes deploying applications and control activities to actively monitor and mitigate potential threats to the Company’s IT environment. These activities include, but are not limited to, engaging an external third-party to monitor information systems security events, conducting annual security training of employees, testing employees via periodic phishing campaigns, conducting system vulnerability scanning, utilizing a patching program to remediate critical patches, and utilizing an external third-party to perform testing to identify gaps in the Company’s security program. The Company also performs third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. Additionally, for providers of software-as-a-service and other services that hold Company data, the Company reviews and assesses industry standard certifications such as System and Organization Controls (SOC) 1 or SOC 2 reports and cybersecurity preparedness questionnaires. Mitigation of risk efforts are coordinated by the Company’s Director of Information Security, utilizing internal resources and third-party providers. The Company has not had any cybersecurity risks that have materially affected the Company, including its business strategy, results of operations, or financial condition. Cybersecurity risks are disclosed in Part I Item 1A. Risk Factors, incorporated herein by reference. Cybersecurity Governance Our cybersecurity programs, including the cross-functional management committees responsible for identifying, assessing, and mitigating cybersecurity risks and incidents, are overseen by our Vice President and Chief Information Officer. Day-to-day administration of the cybersecurity programs are led by our Director of Information Security, a direct report to the Vice President and Chief Information Officer. Our Vice President and Chief Information Officer has 27 years of technology leadership experience and a Doctor of Business Administration. Our Director of Information Security has 27 years of experience in infrastructure and security operations and a degree in Information Technology Management. Our Director of Information Security is the chair of the Company’s Information Security Committee. The activities of the Information Security Committee are reviewed by the Executive Information Security Oversight Committee, which is comprised of members of our senior leadership team including our Vice President and Chief Information Officer, Senior Vice President, Chief Financial Officer, Senior Vice President, Chief Legal Officer and Secretary and Senior Vice President, Chief Human Resources Officer . The Executive Information Security Oversight Committee facilitates notification to the Audit Committee of emerging cybersecurity risks, and threats, the status of projects to strengthen the Company’s information security systems, and updates on any cybersecurity incidents. The Audit Committee of the Board of Directors oversees cybersecurity related risks. Members of the Audit Committee receive the above referenced notifications and updates on a quarterly basis from the Company’s Chief Information Officer as the designated representative of the Executive Information Security Oversight Committee . Additionally, the Company has a written Information Security Policy and a Cybersecurity Incident Response Plan that provides the above-referenced processes by which such committees are informed of and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and material risks from cybersecurity threats.

Company Information