XML 49 R29.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 28, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risks from Cybersecurity Threats. Information relating to risks from cybersecurity threats is included in this report in Item 1A under the caption “Cybersecurity breaches or other failures in our information technology systems could disrupt our business.” Our cybersecurity risk management program is designed to evaluate material threats and vulnerabilities throughout the organization and their potential impact on our operations, data, and stakeholders. Our program is reviewed and updated regularly to address emerging risks, following the NIST Cybersecurity Framework, NIST Risk Management Framework, and CIS Top 18 Security Controls.

We manage cybersecurity risks through a three-step process:

1.Identify We assess our critical operational assets and those that may attract threat actors, identifying any cyber activities that could diminish asset value, hinder operational capabilities, or covertly grant access to threat actors.
2.Assess We evaluate the exposure of our assets to identified cyber risks and determine the potential operational or reputational impact if access or utilization is compromised. This assessment includes determining the materiality of these risks based on their potential impact.
3.Manage We have implemented a multi-layered defense strategy designed to secure asset access and prevent unauthorized access. We prioritize our defenses based on cost-effectiveness and risk reduction potential, using administrative, procedural, and technical controls.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We employ a structured approach to monitor and mitigate risks through:

Regular network and system monitoring for potential threats.
Regular vulnerability assessments and penetration testing.
Implementation of technical controls such as firewalls, intrusion detection systems, and encryption.
Employee training and awareness programs.
Incident response plans designed for swift and effective mitigation.
Software and vendor risk assessments.
Vulnerability management solutions prioritizing patching based on risk.
Privileged account management solutions for administrative access.

These measures aim to prevent, detect, and respond to cybersecurity incidents effectively. They are regularly reviewed and updated to adapt to evolving threats.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors Oversight. The role of the Board of Directors with respect to our cybersecurity program is one of oversight of management, and the Board has delegated primary oversight authority over the program to the Audit Committee.  The Audit Committee oversees these risks as outlined in its Charter, which mandates reviewing the company's information technology framework, practices, and implemented controls to monitor and mitigate IT risks.

The Audit Committee meets quarterly and receives reports and briefings from the CIO, Director of Cybersecurity, and the cybersecurity team on emerging threats, risk status, and mitigation strategies. The Committee engages with the cybersecurity team to increase their understanding of the specific issues facing the Company and to challenge the team as appropriate. The Committee also may consult external cybersecurity experts as needed to fulfill its oversight role.  The Audit Committee regularly reports to the Board on matters addressed during the Committee’s quarterly meetings, including any material cybersecurity risks or developments.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee meets quarterly and receives reports and briefings from the CIO, Director of Cybersecurity, and the cybersecurity team on emerging threats, risk status, and mitigation strategies. The Committee engages with the cybersecurity team to increase their understanding of the specific issues facing the Company and to challenge the team as appropriate. The Committee also may consult external cybersecurity experts as needed to fulfill its oversight role.  The Audit Committee regularly reports to the Board on matters addressed during the Committee’s quarterly meetings, including any material cybersecurity risks or developments.
Cybersecurity Risk Role of Management [Text Block]

Our cross-functional cybersecurity team, composed of experts with decades of combined experience, supports the CIO and Director in implementing our cybersecurity program. This team consults with legal, HR, and IT specialists to assess the materiality of cybersecurity risks and incidents, using a well-established Incident Response Plan that includes clear escalation measures.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] CIO and Director of Cybersecurity
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
CIO. With over 20 years of experience in the information technology space, the CIO brings expertise and strategic insight to cybersecurity, compliance, enterprise architecture, systems resilience, and digital transformation to UFP Industries.
Director of Cybersecurity. With over 30 years of experience in the information technology space, including systems architecture, management, and cybersecurity risk management, the Director reports directly to the CIO and is responsible for day-to-day cybersecurity operations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
CIO. With over 20 years of experience in the information technology space, the CIO brings expertise and strategic insight to cybersecurity, compliance, enterprise architecture, systems resilience, and digital transformation to UFP Industries.
Director of Cybersecurity. With over 30 years of experience in the information technology space, including systems architecture, management, and cybersecurity risk management, the Director reports directly to the CIO and is responsible for day-to-day cybersecurity operations.

Our cross-functional cybersecurity team, composed of experts with decades of combined experience, supports the CIO and Director in implementing our cybersecurity program. This team consults with legal, HR, and IT specialists to assess the materiality of cybersecurity risks and incidents, using a well-established Incident Response Plan that includes clear escalation measures.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true