BEACON ROOFING SUPPLY INC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

BEACON ROOFING SUPPLY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:05:10 EST.

Filings

10-K filed on 2025-02-27

BEACON ROOFING SUPPLY INC filed a 10-K at 2025-02-27 16:05:10 EST
Accession Number: 0001124941-25-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have an information security program in place to safeguard our information systems and protect our confidential data. This cybersecurity risk management program is integrated into our broader enterprise risk management framework, under a Risk Committee that is led by our VP, Strategy & Transformation and includes our Chief Technology Officer, who is responsible for cybersecurity and information technology matters, General Counsel and other business and strategy leaders. The Risk Committee identifies, assesses, and manages enterprise level risks facing the Company, taking into account likelihood of occurrence and potential impact. The Risk Committee reports to our Executive Committee and this process is primarily overseen by the Audit Committee of our Board. Our Executive Committee consists of our executive officers and other senior members of management. Our information security program aligns with industry standards and best practices, such as the Center for Internet Security Critical Security Controls (“CIS Controls”). It consists of information security and privacy policies and procedures, which include, among other things, endpoint threat detection and response, identity and access management, vulnerability and patch management, and multi-factor authentication. We also provide new hire and annual security awareness and privacy training to employees. We conduct monthly phishing assessment exercises to ensure employees are aware and educated about phishing threats and are trained to identify and report them. We use third-party security firms to assist us in performing assessments annually and penetration testing regularly throughout the year on our applications, networks, and environments. We perform an annual review to verify our compliance with the Payment Card Industries Data Security Standards (“PCI DSS”) . We use a variety of methods to oversee and identify material cybersecurity threats related to the use of third-party technology and services. By way of example, we perform diligence with respect to third parties, obtain contractual protections, and utilize third-party risk monitoring security rating services. In the event of a security issue, we have a written incident response plan and have retained trusted experts to assist us in quickly triaging, containing, and understanding the issue. Our management team periodically reviews our response readiness and completes tabletop exercises on potential cybersecurity breaches with the assistance of a third-party cybersecurity consultant. We use the results from these exercises to enhance our response plan and cybersecurity protections going forward. We are not aware of any material risks from cybersecurity threats that have materially impaired or could materially impair our business, results of operations, or financial condition. However, our information security controls, no matter how well designed or implemented, will not fully eliminate cybersecurity risk. It is possible that we are unable to detect or underestimate certain vulnerabilities, or that we may not effectively implement security controls as intended. The Company does manage information security issues that are immaterial individually and in the aggregate from time to time as part of our routine operations. 16 For additional information regarding how cybersecurity threats could potentially materially affect our business strategy, results of operations, or financial condition, see Part 1, Item 1A “Risk Factors - Risks Related to Information Technology.” Interruption, interference with, or failure of information technology systems could hurt our ability to effectively provide our product and services, which could harm our reputation, financial condition, operating results, and cash flows. Governance Board Oversight . The Audit Committee assists the Board in fulfilling its fiduciary duties regarding cybersecurity risk oversight. The Audit Committee is composed of directors with diverse professional experience, including three members with backgrounds in cybersecurity. We believe this expertise enables our Audit Committee to effectively oversee our cybersecurity risks and incident response plans. For more information on our directors’ expertise, see our definitive proxy statement for our 2025 Annual Meeting of Stockholders to be filed with the SEC. Our Chief Technology Officer briefs the Audit Committee of our Board quarterly, and our full Board annually, regarding cybersecurity risks and information security matters, including the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives and projects, the results of any third-party security ratings or assessments of our cybersecurity program, and regulatory updates. Members of management also provide regular updates to the Audit Committee on the categorization and management of enterprise risks, including information security risks. In addition, the Board participates in ongoing education and periodic tabletop exercises on cybersecurity breach response planning. Management’s Role . Our Vice President, IT - Technical Services reports to our Chief Technology Officer and is the head of our cybersecurity team. He is responsible for assessing and managing our cybersecurity management program, informs our Chief Technology Officer regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents, and supervises and monitors such efforts. Our Chief Technology Officer has more than 20 years of experience in cybersecurity and information systems management, and our Vice President, IT - Technical Services has nearly three decades of experience managing information systems, network infrastructure, and cybersecurity in the public and private sectors. This combined in-depth knowledge and experience has been critical in developing and implementing our cybersecurity programs. In addition to quarterly reports to the Audit Committee, as an Executive Vice President and member of the Executive Committee, our Chief Technology Officer regularly briefs the Executive Committee on the threat landscape, the Company’s cybersecurity programs, and risks, so that the highest level of management is regularly informed of cybersecurity issues for decision-making and guidance.

Company Information