CMC 2025 Sustainability Report
  1. Governance
  2. Our Governance Structure
  3. Data Privacy & Security
Data Privacy and Security

Data Privacy & Security

  • 2-23 Policy commitments
  • 2-24 Embedding policy commitments
  • 2-25 Processes to remediate negative impacts

We recognize growing cybersecurity threats and the importance of protecting the company’s information systems to ensure the safety and privacy of proprietary data and information involving our customers, suppliers and employees. CMC complies with all applicable regulations regarding data privacy and security in the countries where we operate, including the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act and other federal and state regulations.

Our data protection policies and procedures, including our Cyber Security Policy, threat monitoring and auditing processes, are developed by our crossfunctional information security team. CMC’s data protection roadmap aligns with the Center for Internet Security’s Top 18 Critical Security Controls and additional frameworks including the National Institute of Standards and Technology (NIST). The roadmap includes procedures such as multi-factor authentication, security vulnerability management and regular engagement of third party experts to assess our cybersecurity controls and vulnerabilities and upgrade our systems and controls as appropriate.

We track information security metrics monthly, which are reported to the chief information officer and others, as appropriate. The information security team provides quarterly cybersecurity briefings to the Board’s Audit Committee and briefs the full Board annually. All employees receive regular training to protect sensitive data from breaches by avoiding and mitigating information security risks, including phishing, malware, viruses and hacking.