|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
CRH leverages its Enterprise Risk Management (ERM) framework, which accords with internationally recognized standards, to identify, assess, respond, monitor and report material cybersecurity risks facing the Company. CRH manages cybersecurity risk at multiple levels within the Company. Given CRH’s wide geographic spread, the frequency and possible scale of acquisition activity, the diversity of the types of IT systems operated by CRH companies and the decentralized nature of its operations, CRH implements an amalgam of centralized and decentralized processes for IT management. Under this model, Company-level management and the management of CRH’s operating companies and business units share responsibility for cybersecurity management and collaborate on assessing, identifying, and managing material risks.
CRH’s operating companies and business units use a variety of tools and processes to identify and manage material cybersecurity risks. CRH utilizes multiple monitoring tools and practices to identify and detect unusual activities and/or potential cybersecurity incidents, including potential system breaches, and to verify the effectiveness of protective measures. CRH’s operating companies and business units implement various risk mitigation strategies, including continuously strengthening security measures, improving incident response plans through post-incident evaluations and assessments, investing in security technologies, providing regular and focused employee training, and transferring risk through cybersecurity insurance.
At the Group level, CRH conducts a semi-annual bottom-up risk assessment focused on CRH’s operating companies and business units, including cybersecurity-related risks, which evaluates the impact and likelihood of the identified cyber risks and the effectiveness of existing security measures, policies, and procedures. CRH also requires that each operating company completes a self-assessment regarding its cyber controls and risk, including user awareness training, email security protection, multi-factor authentication, system patch management, identity management, network segregation, antivirus and web protections, asset inventory, privileged access management, logging, monitoring, and incident response capabilities.
As described further below under “Cybersecurity Governance”, CRH’s Board and senior management receive regular briefings on cybersecurity risks facing CRH and are closely involved in identifying cybersecurity risks, developing CRH’s plan for managing such risks, and continuously refining CRH’s cyber defenses in response to the information gathered through the above-mentioned risk assessments.
To manage the risk of a material impact on CRH’s operations or financial performance due to a cybersecurity incident, CRH has implemented a mandatory Cybersecurity Incident Escalation Standard as part of its Company-wide Information Security Policy. This Standard, which is supported by relevant guidelines and procedural documentation, provides a structured approach adapted to the systems of each CRH operating company and business unit to manage the incident response process through a series of pre-defined phases, including triage, containment, eradication, recovery, and post-incident analysis.
CRH also provides regular and focused training to aid employees in understanding and complying with relevant Company policies and applicable regulations, including those related to cybersecurity.
Assessment and management of cybersecurity risks is a key component of CRH’s broader risk governance processes as cybersecurity is a core risk facing the Company. Identification of cybersecurity risks is integrated into CRH’s overall ERM framework, with a focus on risks related to information systems, data security, operational technology and technology infrastructure.
CRH works closely with multiple external advisors specializing in cybersecurity to improve its ability to identify and detect, protect against, and recover from, cybersecurity incidents. In addition, CRH leverages certain managed service providers to aid in triaging and monitoring potentially malicious activities. CRH is dependent upon third-party service providers for certain IT-related services, and has systems of oversight to evaluate potential risks in certain critical third-parties on whom CRH has a material dependency. These systems would include the use of vendor security questionnaires, vulnerability assessments and annual audits.
CRH has not been subject to a cyber-attack that has had a material impact on our operations or financial results. For additional information, please refer to Item 1A. “Risk Factors”.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
CRH leverages its Enterprise Risk Management (ERM) framework, which accords with internationally recognized standards, to identify, assess, respond, monitor and report material cybersecurity risks facing the Company. CRH manages cybersecurity risk at multiple levels within the Company. Given CRH’s wide geographic spread, the frequency and possible scale of acquisition activity, the diversity of the types of IT systems operated by CRH companies and the decentralized nature of its operations, CRH implements an amalgam of centralized and decentralized processes for IT management. Under this model, Company-level management and the management of CRH’s operating companies and business units share responsibility for cybersecurity management and collaborate on assessing, identifying, and managing material risks.
CRH’s operating companies and business units use a variety of tools and processes to identify and manage material cybersecurity risks. CRH utilizes multiple monitoring tools and practices to identify and detect unusual activities and/or potential cybersecurity incidents, including potential system breaches, and to verify the effectiveness of protective measures. CRH’s operating companies and business units implement various risk mitigation strategies, including continuously strengthening security measures, improving incident response plans through post-incident evaluations and assessments, investing in security technologies, providing regular and focused employee training, and transferring risk through cybersecurity insurance.
At the Group level, CRH conducts a semi-annual bottom-up risk assessment focused on CRH’s operating companies and business units, including cybersecurity-related risks, which evaluates the impact and likelihood of the identified cyber risks and the effectiveness of existing security measures, policies, and procedures. CRH also requires that each operating company completes a self-assessment regarding its cyber controls and risk, including user awareness training, email security protection, multi-factor authentication, system patch management, identity management, network segregation, antivirus and web protections, asset inventory, privileged access management, logging, monitoring, and incident response capabilities.
As described further below under “Cybersecurity Governance”, CRH’s Board and senior management receive regular briefings on cybersecurity risks facing CRH and are closely involved in identifying cybersecurity risks, developing CRH’s plan for managing such risks, and continuously refining CRH’s cyber defenses in response to the information gathered through the above-mentioned risk assessments.
To manage the risk of a material impact on CRH’s operations or financial performance due to a cybersecurity incident, CRH has implemented a mandatory Cybersecurity Incident Escalation Standard as part of its Company-wide Information Security Policy. This Standard, which is supported by relevant guidelines and procedural documentation, provides a structured approach adapted to the systems of each CRH operating company and business unit to manage the incident response process through a series of pre-defined phases, including triage, containment, eradication, recovery, and post-incident analysis.
CRH also provides regular and focused training to aid employees in understanding and complying with relevant Company policies and applicable regulations, including those related to cybersecurity.
Assessment and management of cybersecurity risks is a key component of CRH’s broader risk governance processes as cybersecurity is a core risk facing the Company. Identification of cybersecurity risks is integrated into CRH’s overall ERM framework, with a focus on risks related to information systems, data security, operational technology and technology infrastructure.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board is responsible for strategy, risk and governance, including oversight of risks from cybersecurity threats. The Board has delegated to the Audit Committee primary responsibility for oversight of cybersecurity risk management and the associated internal control systems. The Audit Committee is currently made up of six independent directors with a range of relevant cybersecurity, information technology and operational technology experience.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee receives updates at least annually from the Chief Information Security Officer (CISO) on the design and progress of key information security initiatives in addition to regular briefings on cybersecurity and management of cybersecurity-related risks from relevant members of management, including the Head of ERM and our CISO. Recent updates from the CISO have focused on the Company’s information security strategy, ongoing security assessments and ongoing projects. The Audit Committee is responsible for updating the Board on identified risks related to cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee receives updates at least annually from the Chief Information Security Officer (CISO) on the design and progress of key information security initiatives in addition to regular briefings on cybersecurity and management of cybersecurity-related risks from relevant members of management, including the Head of ERM and our CISO. Recent updates from the CISO have focused on the Company’s information security strategy, ongoing security assessments and ongoing projects. The Audit Committee is responsible for updating the Board on identified risks related to cybersecurity.Our Global Leadership Team is responsible for the execution of CRH’s strategy and governance, including implementation and review of our ERM framework, which has identified cybersecurity as a core risk for CRH. CRH has established the role of CISO to provide technical leadership on a day-to-day basis in assessing and managing the Company’s material cybersecurity risks and liaising with the chief information officers of CRH’s Divisions. Our CISO has 25 years of experience working in IT, including more than a decade spent in prior technical and senior management roles related to cybersecurity. The divisional chief information officers have in excess of 20 years of experience, on average, in IT-related and cybersecurity-related roles and, together with the CISO, hold a variety of recognized and specialized credentials related to cybersecurity and IT.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board is responsible for strategy, risk and governance, including oversight of risks from cybersecurity threats. The Board has delegated to the Audit Committee primary responsibility for oversight of cybersecurity risk management and the associated internal control systems. The Audit Committee is currently made up of six independent directors with a range of relevant cybersecurity, information technology and operational technology experience.
The Audit Committee receives updates at least annually from the Chief Information Security Officer (CISO) on the design and progress of key information security initiatives in addition to regular briefings on cybersecurity and management of cybersecurity-related risks from relevant members of management, including the Head of ERM and our CISO. Recent updates from the CISO have focused on the Company’s information security strategy, ongoing security assessments and ongoing projects. The Audit Committee is responsible for updating the Board on identified risks related to cybersecurity.
Our Global Leadership Team is responsible for the execution of CRH’s strategy and governance, including implementation and review of our ERM framework, which has identified cybersecurity as a core risk for CRH. CRH has established the role of CISO to provide technical leadership on a day-to-day basis in assessing and managing the Company’s material cybersecurity risks and liaising with the chief information officers of CRH’s Divisions. Our CISO has 25 years of experience working in IT, including more than a decade spent in prior technical and senior management roles related to cybersecurity. The divisional chief information officers have in excess of 20 years of experience, on average, in IT-related and cybersecurity-related roles and, together with the CISO, hold a variety of recognized and specialized credentials related to cybersecurity and IT.
CRH also maintains a Company-wide incident response function centered in our Group Information Security (GIS) team, led by the CISO. GIS responds to potential incidents across CRH in accordance with predetermined severity classifications. In line with CRH’s Cybersecurity Incident Escalation Standard and supporting guidelines and procedural documentation, incidents that are deemed potentially material to the Company and/or which may lead to the exposure of confidential or sensitive data are immediately escalated to GIS for review and, as necessary, mitigation and remediation actions are taken. GIS and the CISO also review regular attestation reports that are required to be prepared by CRH’s operating companies and business units regarding cybersecurity incidents that did not meet the threshold for immediate escalation.
Following cybersecurity incidents, GIS, in conjunction with members of management of CRH’s operating companies and business units as necessary, conduct post-incident analysis and exercises designed to strengthen CRH’s cybersecurity practices. The Risk Committee and Global Leadership Team are briefed on the occurrence, mitigation and remediation of cybersecurity incidents on a regular basis, including ad-hoc briefings covering significant or potentially material incidents.
The Risk Committee, which is made up of our Chief Financial Officer, Group General Counsel, Chief Operating Officer and the Divisional Presidents of CRH Americas and CRH International, is the executive oversight body for risk management, including cybersecurity risks and the work of the CISO, GIS and related teams. The Risk Committee meets quarterly with the Head of ERM to assess risks facing CRH, and, on an as-needed basis, meets with other members of CRH management regarding cybersecurity risks and developments. The Risk Committee also reviews the half-yearly risk updates that are provided to the Audit Committee prior to dissemination.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Audit Committee receives updates at least annually from the Chief Information Security Officer (CISO) on the design and progress of key information security initiatives in addition to regular briefings on cybersecurity and management of cybersecurity-related risks from relevant members of management, including the Head of ERM and our CISO. Recent updates from the CISO have focused on the Company’s information security strategy, ongoing security assessments and ongoing projects. The Audit Committee is responsible for updating the Board on identified risks related to cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has 25 years of experience working in IT, including more than a decade spent in prior technical and senior management roles related to cybersecurity. The divisional chief information officers have in excess of 20 years of experience, on average, in IT-related and cybersecurity-related roles and, together with the CISO, hold a variety of recognized and specialized credentials related to cybersecurity and IT.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Audit Committee receives updates at least annually from the Chief Information Security Officer (CISO) on the design and progress of key information security initiatives in addition to regular briefings on cybersecurity and management of cybersecurity-related risks from relevant members of management, including the Head of ERM and our CISO. Recent updates from the CISO have focused on the Company’s information security strategy, ongoing security assessments and ongoing projects. The Audit Committee is responsible for updating the Board on identified risks related to cybersecurity.
Our Global Leadership Team is responsible for the execution of CRH’s strategy and governance, including implementation and review of our ERM framework, which has identified cybersecurity as a core risk for CRH. CRH has established the role of CISO to provide technical leadership on a day-to-day basis in assessing and managing the Company’s material cybersecurity risks and liaising with the chief information officers of CRH’s Divisions. Our CISO has 25 years of experience working in IT, including more than a decade spent in prior technical and senior management roles related to cybersecurity. The divisional chief information officers have in excess of 20 years of experience, on average, in IT-related and cybersecurity-related roles and, together with the CISO, hold a variety of recognized and specialized credentials related to cybersecurity and IT.
CRH also maintains a Company-wide incident response function centered in our Group Information Security (GIS) team, led by the CISO. GIS responds to potential incidents across CRH in accordance with predetermined severity classifications. In line with CRH’s Cybersecurity Incident Escalation Standard and supporting guidelines and procedural documentation, incidents that are deemed potentially material to the Company and/or which may lead to the exposure of confidential or sensitive data are immediately escalated to GIS for review and, as necessary, mitigation and remediation actions are taken. GIS and the CISO also review regular attestation reports that are required to be prepared by CRH’s operating companies and business units regarding cybersecurity incidents that did not meet the threshold for immediate escalation.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef