|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our cybersecurity risk management efforts are an integral part of our overall risk management processes, and we are deeply committed to safeguarding our digital and information technology environment for our employees, customers and vendors. We employ a robust, global and multi-layered security strategy, known as “defense-in-depth,” to assess, identify and manage cybersecurity risks and protect our cyber work environment from potential threats and vulnerabilities. These risks, threats and vulnerabilities include those that could result in significant operational disruption to the Company, such as production disruption, business downtime or loss of containment, as well as risks that could have significant reputational or compliance/regulatory impact.
The Company's Information Security team monitors information security risks that target both technology and manufacturing environments and identifies potential risks to Simpson’s information security posture. Any identified risks are prioritized in terms of impact to Simpson’s information security posture and, if critical, addressed immediately or added to Simpson’s information security roadmap. To supplement our internal cybersecurity resources, we also engage external third parties to perform information security assessments, penetration tests and related services to enhance our information security program.
Risks Associated with Third-Party Service Providers
In addition, we implement robust processes to oversee and manage risks associated with our business arrangements with third-party service providers. All new Simpson third-party business agreements are reviewed and assessed by our Information Security team. We also perform information security program investigations on the security posture of, and assess any publicly known information security events related to, these third-party service providers. If a third party service provider with a business agreement with Simpson experiences an information security breach or incident, our Information Security Team reviews and assesses such event to understand Simpson’s overall exposure to the security incident.
Insurance
We maintain cybersecurity insurance coverage at industry standard levels as a part of our comprehensive insurance portfolio to help mitigate risk in the event an information security event occurs.
Risks from Cybersecurity Threats
Despite our security measures, our information technology and infrastructure may remain vulnerable to disruptions, including as a result of attacks by increasingly sophisticated intruders or others who attempt to cause harm to, or otherwise interfere with the normal use of our systems. We have experienced targeted and non-targeted cybersecurity attacks and incidents in the past that have resulted in unauthorized persons gaining access to our information systems and computer networks, and we could in the future experience similar attacks. When we do experience cybersecurity incidents like these and the one we disclosed in October 2023, we aim to utilize that experience to inform and strengthen our cybersecurity management efforts. In response to the October 2023 incident, we increased our phishing awareness training and testing, deployed a cybersecurity tool that continuously monitors and verifies the security posture of individual devices within our network, and deployed technology that provides visibility into our sensitive data across different cloud environments, allowing the identification of potential vulnerabilities and take proactive measures to protect data from unauthorized access, misuse, or theft.
We do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned “Risks Relating to Our Intellectual Property and Information Technology” under Part I, Item 1A “Risk Factors” above.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk management efforts are an integral part of our overall risk management processes, and we are deeply committed to safeguarding our digital and information technology environment for our employees, customers and vendors. We employ a robust, global and multi-layered security strategy, known as “defense-in-depth,” to assess, identify and manage cybersecurity risks and protect our cyber work environment from potential threats and vulnerabilities.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Although our full Board of Directors is ultimately responsible for risk oversight, our Board is assisted in discharging its risk oversight responsibility by its committees. The Audit and Finance Committee of the Board is responsible for providing oversight of our information security program and cybersecurity risks. In connection with this oversight role, the Audit and Finance Committee receives information technology updates from management at least quarterly. Cybersecurity risks facing the Company and updates on the Company’s practices and progress to mitigate such risks are also the subject of management reports to the Audit and Finance Committee on a more frequent basis, as necessary or appropriate.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s information security efforts are led by our Executive Vice President, Chief Technology Officer (“CTO”) and our Director of Information Security (“IT Director”), supported by our executive management team. These efforts are designed to address information security governance and risk, product security, identification and protection of critical assets, third-party risk, security awareness, cyber defense operations, artificial intelligence and data protection governance, and related risk management matters.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our CTO provides relevant cybersecurity and information technology reports to the Audit and Finance Committee, and to the executive and senior leadership teams. These reports are provided at quarterly Audit and Finance Committee meetings and at our Digital Quarterly Business Review (“Digital QBR”) meetings. These reports typically include analyses of recent significant cybersecurity threats and incidents at the Company and across the industry, as well as a review of our security controls, assessments and program maturity, top risks, risk mitigation status, and a review of our third-party service providers as appropriate. Simpson’s information security roadmap and posture are also reviewed quarterly with members of the executive leadership team and the Audit and Finance Committee. In accordance with our information security program, any information security event is assessed and reviewed by our Digital Leadership team and members of the executive leadership team.
Through the Digital QBR process, the executive leadership team is responsible for assessing and reviewing our information security program and the Company’s material risks from cybersecurity threats. Additional supervision and management is provided by our Digital Leadership team, comprised of our CTO; VP, Digital Infrastructure and Operations; VP, Digital Enterprise Applications; and International IT Director.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company’s information security efforts are led by our Executive Vice President, Chief Technology Officer (“CTO”) and our Director of Information Security (“IT Director”), supported by our executive management team. These efforts are designed to address information security governance and risk, product security, identification and protection of critical assets, third-party risk, security awareness, cyber defense operations, artificial intelligence and data protection governance, and related risk management matters. Our CTO and IT Director have an average of over 25 years of prior work experience in various roles involving information technology, including security, auditing compliance, systems and programming. These individuals have relevant educational and industry experience, including holding similar positions at other large companies.
Our CTO provides relevant cybersecurity and information technology reports to the Audit and Finance Committee, and to the executive and senior leadership teams. These reports are provided at quarterly Audit and Finance Committee meetings and at our Digital Quarterly Business Review (“Digital QBR”) meetings. These reports typically include analyses of recent significant cybersecurity threats and incidents at the Company and across the industry, as well as a review of our security controls, assessments and program maturity, top risks, risk mitigation status, and a review of our third-party service providers as appropriate. Simpson’s information security roadmap and posture are also reviewed quarterly with members of the executive leadership team and the Audit and Finance Committee. In accordance with our information security program, any information security event is assessed and reviewed by our Digital Leadership team and members of the executive leadership team.
Through the Digital QBR process, the executive leadership team is responsible for assessing and reviewing our information security program and the Company’s material risks from cybersecurity threats. Additional supervision and management is provided by our Digital Leadership team, comprised of our CTO; VP, Digital Infrastructure and Operations; VP, Digital Enterprise Applications; and International IT Director.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s information security efforts are led by our Executive Vice President, Chief Technology Officer (“CTO”) and our Director of Information Security (“IT Director”), supported by our executive management team. These efforts are designed to address information security governance and risk, product security, identification and protection of critical assets, third-party risk, security awareness, cyber defense operations, artificial intelligence and data protection governance, and related risk management matters.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CTO and IT Director have an average of over 25 years of prior work experience in various roles involving information technology, including security, auditing compliance, systems and programming. These individuals have relevant educational and industry experience, including holding similar positions at other large companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CTO provides relevant cybersecurity and information technology reports to the Audit and Finance Committee, and to the executive and senior leadership teams. These reports are provided at quarterly Audit and Finance Committee meetings and at our Digital Quarterly Business Review (“Digital QBR”) meetings. These reports typically include analyses of recent significant cybersecurity threats and incidents at the Company and across the industry, as well as a review of our security controls, assessments and program maturity, top risks, risk mitigation status, and a review of our third-party service providers as appropriate. Simpson’s information security roadmap and posture are also reviewed quarterly with members of the executive leadership team and the Audit and Finance Committee. In accordance with our information security program, any information security event is assessed and reviewed by our Digital Leadership team and members of the executive leadership team.
Through the Digital QBR process, the executive leadership team is responsible for assessing and reviewing our information security program and the Company’s material risks from cybersecurity threats. Additional supervision and management is provided by our Digital Leadership team, comprised of our CTO; VP, Digital Infrastructure and Operations; VP, Digital Enterprise Applications; and International IT Director.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef