Our risk management program includes focused efforts on managing cybersecurity risk, including the following:
A robust information security training program that requires all company employees with access to our networks to participate in regular and mandatory training on how to be aware of, and help defend against, cyber risks, combined with periodic testing to measure the efficacy of our training efforts.
Alignment of our program with the National Institute of Technology (NIST) Cybersecurity Framework to prevent, detect and respond to cyberattacks.
Regular and robust testing of our systems to assess our vulnerability to cyber risk, which includes periodic audits of our systems by outside industry experts and regular vulnerability scanning.
Testing and audits of our IT controls by our independent external auditors.
While Weyerhaeuser is committed to a balanced cybersecurity program based on the NIST framework, we believe that our threat landscape is limited relative to that of many other companies because we do not store, transmit or process many of the types of data commonly targeted in cyberattacks. For example, we do not routinely store or transmit consumer credit card or financial information, nor do we store or maintain significant proprietary data on our systems. Moreover, our businesses do not involve or represent national infrastructure the likes of which are common targets of cyber attackers (i.e., energy, oil & gas, transportation, communications, banking and financial systems, etc.). Nonetheless, we do maintain insurance for damage to property caused by a cyberattack.
Members of management, including our chief information officer and our chief information security officer, regularly report on the company’s cybersecurity matters to both the audit committee of the board of directors and the full board, which has primary oversight responsibility in this area, as follows:
Our cybersecurity program and risks are specifically discussed at least three times per year (including as part of our discussions regarding enterprise risk management.)
Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the audit committee.
Current information security issues that arise during the year are discussed throughout the year if potentially significant to the company and are discussed with our chairman and Audit Committee chair between board meetings as appropriate.
We recognize that cyber threats are a permanent part of the risk landscape and that new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority at Weyerhaeuser.