XML 36 R10.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

CYBERSECURITY

RISK MANAGEMENT

Our risk management program includes focused efforts on identifying, assessing and managing cybersecurity risk, including the following:

 

A robust information security training program that requires all company employees with access to our networks to participate in regular and mandatory training on how to be aware of, and help defend against, cyber risks, combined with periodic testing to measure the efficacy of our training efforts. Highlights of our training program include:

At least annual training for company employees who have access to our information systems.
Specialized training for all new hires.
Targeted training for all employees aimed at responding to current and emerging risks and threats using tools such as situational simulations and frequent testing of our employees' ability to identify and appropriately respond to cybersecurity threats.

Alignment of our program with the National Institute of Standards and Technology Cybersecurity Framework to prevent, detect and respond to cyberattacks.

Ongoing adoption of a “zero trust” cybersecurity model.

Regular and robust testing of our systems to assess our vulnerability to cyber risk, which includes targeted penetration testing, tabletop incident response exercises, periodic audits of our systems by outside industry experts and regular vulnerability scanning.

A formal vendor risk assessment process to ensure any vendors with information access have appropriate security measures and practices in place.

Engaging external cybersecurity experts in incident response development and management.

Business continuity plans and critical recovery backup systems.

Requiring employees and third parties who have access to our systems to treat confidential and private information and data with care.

Insurance for damage to property caused by a cyberattack.

 

Our chief information security officer (CISO) is primarily responsible for leading the technical team that assesses and manages cybersecurity risk for the company on a day-to-day basis. He and other members of the cybersecurity team have deep and broad experience and training in cybersecurity management, as well as relevant education and industry recognized certifications in information systems security.

CYBERSECURITY INCIDENT RESPONSE PROCESS

We maintain and actively update a cybersecurity incident response plan that outlines the steps we take to identify, investigate and take action in response to any potentially material cyber incidents. Our response plan ensures that our Cyber Incident Response Team, which includes our

CISO, members of our senior management team and select members of our legal staff, is timely informed of and consulted with respect to any potentially material cyber incidents.

BOARD OVERSIGHT OF CYBER RISK

Members of management, including our CISO, regularly report on the company’s cybersecurity matters to both our board’s Audit Committee and to the full board, which has primary oversight responsibility in this area, as follows:

 

Our cybersecurity program and risks are specifically discussed at least three times per year (including as part of our discussions regarding enterprise risk management).

Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee.

Current information security issues that arise during the year are discussed throughout the year if potentially significant to the company and are discussed with our chairman and Audit Committee chair between board meetings as appropriate.

RISK MITIGATION

We also manage cybersecurity risk by limiting our threat landscape. For example, we do not store, transmit or process many of the types of data commonly targeted in cyberattacks, such as consumer credit card or financial information, nor do we store or maintain significant proprietary data on our systems. Moreover, our businesses do not involve or represent national infrastructure, the likes of which are common targets of cyber attackers (e.g., energy, oil and gas, transportation, communications and banking and financial systems). We recognize that cyber threats are a permanent part of the risk landscape and that new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority at Weyerhaeuser.

Like many companies, we face a number of cybersecurity risks in the day-to-day operation of our business. Although during the three-year period ended December 31, 2024 and to date these risks have not materialized into any incident or series of incidents that have materially affected, or are reasonably likely to materially affect the company, its business strategy, results of operations or financial condition or otherwise caused material harm to the company, we have, on occasion, experienced cybersecurity threats to our data and information systems, including phishing attacks. Over this same time period, certain of our vendors and service providers have notified us of cybersecurity incidents involving their own systems and these cybersecurity incidents, likewise, have not materially affected us, our business strategy, results of operations or financial condition or otherwise caused material harm to the company. To date, we have incurred no expenses for penalties or settlements with a third party relating to any cybersecurity incidents. For more information about the cybersecurity risks we face, see the risk factor entitled "Information Systems and Cybersecurity" in Item 1A Risk Factors.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity program and risks are specifically discussed at least three times per year (including as part of our discussions regarding enterprise risk management).

Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee.

Current information security issues that arise during the year are discussed throughout the year if potentially significant to the company and are discussed with our chairman and Audit Committee chair between board meetings as appropriate.

Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Although during the three-year period ended December 31, 2024 and to date these risks have not materialized into any incident or series of incidents that have materially affected, or are reasonably likely to materially affect the company, its business strategy, results of operations or financial condition or otherwise caused material harm to the company
Cybersecurity Risk Board of Directors Oversight [Text Block]

BOARD OVERSIGHT OF CYBER RISK

Members of management, including our CISO, regularly report on the company’s cybersecurity matters to both our board’s Audit Committee and to the full board, which has primary oversight responsibility in this area, as follows:

 

Our cybersecurity program and risks are specifically discussed at least three times per year (including as part of our discussions regarding enterprise risk management).

Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee.

Current information security issues that arise during the year are discussed throughout the year if potentially significant to the company and are discussed with our chairman and Audit Committee chair between board meetings as appropriate.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

BOARD OVERSIGHT OF CYBER RISK

Members of management, including our CISO, regularly report on the company’s cybersecurity matters to both our board’s Audit Committee and to the full board, which has primary oversight responsibility in this area, as follows:

 

Our cybersecurity program and risks are specifically discussed at least three times per year (including as part of our discussions regarding enterprise risk management).

Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee.

Current information security issues that arise during the year are discussed throughout the year if potentially significant to the company and are discussed with our chairman and Audit Committee chair between board meetings as appropriate.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Members of management, including our CISO, regularly report on the company’s cybersecurity matters to both our board’s Audit Committee and to the full board
Cybersecurity Risk Role of Management [Text Block]

Our chief information security officer (CISO) is primarily responsible for leading the technical team that assesses and manages cybersecurity risk for the company on a day-to-day basis. He and other members of the cybersecurity team have deep and broad experience and training in cybersecurity management, as well as relevant education and industry recognized certifications in information systems security.

CYBERSECURITY INCIDENT RESPONSE PROCESS

We maintain and actively update a cybersecurity incident response plan that outlines the steps we take to identify, investigate and take action in response to any potentially material cyber incidents. Our response plan ensures that our Cyber Incident Response Team, which includes our

CISO, members of our senior management team and select members of our legal staff, is timely informed of and consulted with respect to any potentially material cyber incidents.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our chief information security officer (CISO) is primarily responsible for leading the technical team that assesses and manages cybersecurity risk for the company on a day-to-day basis
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] He and other members of the cybersecurity team have deep and broad experience and training in cybersecurity management, as well as relevant education and industry recognized certifications in information systems security
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

We maintain and actively update a cybersecurity incident response plan that outlines the steps we take to identify, investigate and take action in response to any potentially material cyber incidents. Our response plan ensures that our Cyber Incident Response Team, which includes our

CISO, members of our senior management team and select members of our legal staff, is timely informed of and consulted with respect to any potentially material cyber incidents.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true