Managing Cybersecurity Risk
Managing Cybersecurity Risk Our risk management program includes focused efforts on identifying, assessing and managing cybersecurity risk, including the following:
- A robust information security training program that requires all company employees with access to our networks to participate in regular and mandatory training on how to be aware of, and help defend against, cyber risks, combined with periodic testing to measure the efficacy of our training efforts. Highlights of our training program include:
- At least annual training for company employees who have access to our information systems.
- Specialized training for all new hires.
- Targeted training for all employees aimed at responding to current and emerging risks and threats using tools such as situational simulations and frequent testing of our employees’ ability to identify and appropriately respond to cybersecurity threats.
- Alignment of our program with the National Institute of Standards and Technology Cybersecurity Framework to prevent, detect and respond to cyberattacks.
- Ongoing adoption of a “zero trust” cybersecurity model.
- Regular and robust testing of our systems to assess our vulnerability to cyber risk, which includes targeted penetration testing, tabletop incident response exercises, periodic audits of our systems by outside industry experts and regular vulnerability scanning.
- A formal vendor risk assessment process to ensure any vendors with information access have appropriate security measures and practices in place.
- Engaging external cybersecurity experts in incident response development and management.
- Business continuity plans and critical recovery backup systems.
- Requiring employees and third parties who have access to our systems to treat confidential and private information and data with care.
- Insurance for damage to property caused by a cyberattack.
Our chief information security officer (CISO) is primarily responsible for leading the technical team that assesses and manages cybersecurity risk for the company on a day-to-day basis. He and other members of the cybersecurity team have deep and broad experience and training in cybersecurity management, as well as relevant education and industry recognized certifications in information systems security.
CYBERSECURITY INCIDENT RESPONSE PROCESS
We maintain and actively update a cybersecurity incident response plan that outlines the steps we take to identify, investigate and take action in response to any potentially material cyber incidents. Our response plan ensures that our Cyber Incident Response Team, which includes our CISO, members of our senior management team and select members of our legal staff, is timely informed of and consulted with respect to any potentially material cyber incidents.
BOARD OVERSIGHT OF CYBER RISK
Members of management, including our CISO, regularly report on the company’s cybersecurity matters to both our board’s Audit Committee and to the full board, which has primary oversight responsibility in this area, as follows:
- Our cybersecurity program and risks are specifically discussed at least three times per year (including as part of our discussions regarding enterprise risk management).
- Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee.
- Current information security issues that arise during the year are discussed throughout the year if potentially significant to the company and are discussed with our chairman and Audit Committee chair between board meetings as appropriate.
RISK MITIGATION
We also manage cybersecurity risk by limiting our threat landscape. For example, we do not store, transmit or process many of the types of data commonly targeted in cyberattacks, such as consumer credit card or financial information, nor do we store or maintain significant proprietary data on our systems. Moreover, our businesses do not involve or represent national infrastructure, the likes of which are common targets of cyber attackers (e.g., energy, oil & gas, transportation, communications, banking and financial systems, etc.). We recognize that cyber threats are a permanent part of the risk landscape and that new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority at Weyerhaeuser.
Like many companies, we face a number of cybersecurity risks in the day-to-day operation of our business. Although during the three-year period ended December 31, 2023 and to date these risks have not materialized into any incident or series of incidents that have had a material adverse effect on our business or otherwise caused material harm to the company, we have, on occasion, experienced cybersecurity threats to our data and information systems, including phishing attacks. Over this same time period, certain of our vendors and service providers have notified us of cybersecurity incidents involving their own systems and these incidents, likewise, have not had a material adverse effect on our business or otherwise caused material harm to the company. We have incurred no expenses for penalties or settlements with a third party relating to any cybersecurity incidents.
By using this website, you agree to our Privacy Policy. California residents: See our CCPA Privacy Notice for details on what personal information we collect and for what purposes.