ARMSTRONG WORLD INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

ARMSTRONG WORLD INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 07:00:55 EST.

Filings

10-K filed on 2025-02-25

ARMSTRONG WORLD INDUSTRIES INC filed a 10-K at 2025-02-25 07:00:55 EST
Accession Number: 0000950170-25-026060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our use of information systems for collecting, using, transmitting and storing data is a vital aspect of our business operations. Information systems are inherently vulnerable to a range of cybersecurity threats that could potentially have a material impact on our strategy, financial condition, liquidity or results of operations. Cybersecurity Risk Management and Strategy. The Company actively maintains an enterprise risk management program. Management’s role is to identify, mitigate, guide and review the efforts of our business units, consider whether the residual risks are acceptable, and approve plans to deal with serious risks. Cybersecurity is a key risk management category within our enterprise risk management program. The Vice President and Chief Information Officer (“CIO”), who also serves as a member of the Company’s enterprise risk council, works closely with key business leaders and functions to develop and enhance the Company’s cybersecurity strategy. Our cybersecurity program is designed to safeguard against an evolving threat landscape through effective prevention, detection, response and recovery processes. Our cybersecurity risk management processes include frequent assessment of our top cyber risks and mitigations. Our cybersecurity risk program is a comprehensive framework designed to safeguard our organization and stakeholders from evolving threats. Central to this approach is our commitment to threat and vulnerability management, where we proactively identify, prioritize, and address potential cybersecurity gaps to strengthen our overall security posture. We emphasize identity and access management by implementing access controls and robust authentication methods to protect user identities and secure information technology systems. Data protection and privacy is in place to ensure sensitive information is protected from exfiltration. Our cybersecurity defenses leverage systems and technologies, including firewalls, network access, endpoint protection, privileged access management, user behavior analytics, multi-factor authentication, intrusion detection systems and continuous monitoring. The purpose of these systems and technologies is to stay ahead of potential threats. To prepare for and respond to potential cybersecurity events, we conduct regular incident response exercises, ensuring our readiness and resilience. Additionally, we invest in employee training and awareness programs to promote a culture of security mindfulness and reduce risks associated with human error. Recognizing the importance of third-party relationships, we maintain a vendor risk management program that includes monitoring the cybersecurity practices of our vendors, and if applicable, performing user access reviews and evaluating System and Organization Controls reports at both inception and on an ongoing basis. Together, these efforts reflect our dedication to building a secure and compliant environment that protects our operations, data, and the trust of our stakeholders. Our program incorporates an Incident Response Plan to guide the evaluation, response, and escalation of cybersecurity incidents. This plan is overseen by our CIO and executed by a cross-functional Cybersecurity Incident Response Team. The incident response plan establishes clear protocols for incident identification, impact assessment, containment and resolution, with defined escalation paths based on incident severity. Cybersecurity incidents above a defined threshold of criticality are evaluated for materiality to determine reporting and disclosure requirements. To enhance our response capabilities, we conduct periodic assessments, including third-party reviews, and simulate incidents through regular tabletop exercises. Our cybersecurity program’s effectiveness is periodically evaluated against established quantifiable goals and other external benchmarks, including the National Institute of Standards and Technology security framework. This evaluation is carried out through internal and external risk assessments and compliance audits. We regularly engage third parties to help conduct these evaluations, assessments and audits, advise us on the effectiveness of our cybersecurity processes and assist the Company in remediating any identified vulnerabilities. 19 We do not believe that risks from cybersecurity threats, individually or in the aggregate, including any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, our strategy, financial condition, liquidity or results of operations. For additional information on how cybersecurity risk may affect our business, refer to Item 1A. Risk Factors of this Form 10-K under the heading “We rely on operating and information systems that may experience a failure, a compromise of security, or a violation of data privacy laws or regulations, which could interrupt or damage our operations and have a material adverse effect on our financial condition, liquidity or results of operations.” Governance. Our Board of Directors has responsibility for oversight of management’s cybersecurity risk program and receives regular updates from our CIO. These updates, provided on a semi-annual basis, cover a range of topics, including the performance of our cybersecurity program against established goals and external standards, insights into the evolving cybersecurity landscape, current events and recent cybersecurity threats, and progress in enhancing the Company’s cybersecurity posture. Pursuant to its charter, the Audit Committee of our Board of Directors is responsible for reviewing management’s cybersecurity incident reporting process, methodology and tools. In addition, the Audit Committee is responsible for reviewing management’s materiality assessments of cybersecurity incidents identified as significant by management. Our CIO holds an advanced degree in Information Technology with over 20 years of experience, including senior leadership roles in technology at various companies. The CIO oversees a cybersecurity team, comprised of internal and external subject matter experts who work collaboratively to achieve our cybersecurity objectives. In addition, our CIO leads the Information Security Steering Committee, a group comprised of key information technology employees and business leaders, including our Senior Vice President, Chief Financial Officer and Senior Vice President, General Counsel and Chief Compliance Officer. This committee meets regularly to review and discuss the Company’s cybersecurity strategies and developments, ensuring a comprehensive approach to managing cybersecurity risk.

Company Information