RELIANCE, INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

RELIANCE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:06:41 EST.

Filings

10-K filed on 2025-02-27

RELIANCE, INC. filed a 10-K at 2025-02-27 16:06:41 EST
Accession Number: 0001558370-25-001806

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Reliance has implemented processes for assessing, identifying and managing material risks from cybersecurity threats, which are integrated into the Company’s overall enterprise risk management systems and processes. The Company’s cybersecurity risk program is largely based on the U.S. National Institute for Standards and Technology (“NIST”) cybersecurity framework and other applicable industry frameworks. The Company regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and containment. The Company has also engaged third parties in connection with the assessment and advancement of its cybersecurity risk management processes. We undertake regular vulnerability scanning, periodic penetration testing and maturity assessments with the support of third parties; vulnerabilities are subsequently addressed based on risk/benefit analyses. To support our preparedness, we have constituted a Cybersecurity Review Committee (“CRC”) and adopted a written incident response plan (“IRP”). The CRC is comprised of cross-functional personnel including Reliance’s Chief Information Officer (“CIO”), Chief Financial Officer (“CFO”), General Counsel and Vice President, Enterprise Risk. In the event of a cybersecurity incident, our CRC refers to our IRP and existing management internal controls processes. Pursuant to these prescribed processes, designated personnel are responsible for assessing the severity of the incident and any associated threats, containing and resolving the incident as quickly as possible, managing any damage to the Company’s systems and networks, minimizing the impact on the Company’s stakeholders, analyzing and executing upon reporting obligations, escalating information about the incident to senior management and potentially representatives from the Board, as appropriate, and performing post-incident analysis and program enhancements, as needed. We perform tabletop exercises to test our incident response procedures, identify cybersecurity gaps and vulnerabilities and improvement opportunities and exercise team preparedness. Reliance mandates regular cybersecurity training for employees and applicable contractors designed to provide employees and contractors with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. The training covers various cyberattack methodologies, including insider attacks, phishing and other forms of social engineering, and other email attacks, malware attacks, data protection, data handling, password protections, cloud and internet security and cybersecurity fundamentals for mobile devices. We take a risk-based approach with respect to our use and oversight of third-party service providers , using a number of means to assess cyber risks related to our third-party service providers, including vendor questionnaires, conducting due diligence in connection with onboarding new vendors, and negotiating for cybersecurity-related terms in vendor agreements as appropriate. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available. Cybersecurity Risks Like other complex corporations, Reliance is the target of cyber-attacks from time to time, which have to date been immaterial individually and in the aggregate to our business strategy, results of operations or financial condition. There can be no assurance that any future cybersecurity incidents will not be material to our business. For additional information about risks related to cybersecurity, please see the risk factor set forth under the caption Item 1A. “Risk Factors” the Risk Factor captioned " We rely on information management systems and any damage, interruption or compromise of our information technology management systems, networks or data could disrupt and harm our business." Governance Roles and Responsibilities Cybersecurity is an important element of our risk management processes and an area of particular focus for Reliance’s Board of Directors and management. The Company’s CIO serves as single point of communication and coordination for protecting the Company and its digital information . The CIO performs an initial assessment of each reported cyber incident and escalates all non-trivial cybersecurity incidents and risks to the CRC . The CRC is primarily responsible for assessing and managing material risks from cybersecurity threats and is comprised of a cross-functional team including the CIO, as well as senior representatives from the Company’s risk management, finance and legal functions. The CIO has 15 years of experience in managing of cybersecurity . The Board, acting through its committee structure, is responsible for overseeing management’s implementation and execution of the enterprise risk management processes and for coordinating the outcome of reviews by Committees in their respective risk areas. Although each Committee is responsible for overseeing the management of certain risks, the Board is regularly informed by the Committees about these risks. This helps enable the Board and the Committees to coordinate risk oversight and the relationships among the various risks faced by the Company, including cybersecurity risk. Directors with experience overseeing and managing risk management processes play a critical role in the Board’s oversight of our enterprise risk management processes. The Board has designated the Audit Committee to be responsible for oversight of cybersecurity risk. The Audit Committee receives regular reports from the CRC and the CIO that may discuss topics such as prior assessments, cybersecurity trends, prior cybersecurity events, and planned enhancements. In addition, the Audit Committee also receives regular periodic reports regarding information technology general controls in connection with its oversight of internal control over financial reporting. The Chair of the Audit Committee regularly briefs the Board on these matters.

Company Information