CMC 2023 Sustainability Report
  1. Governance
  2. Our Governance Structure
  3. Data Privacy & Security
Data Privacy and Security

CMC maintains a Bitsight rating of 810 – among the top in our industry. Less than 1% of all companies globally have a rating of 800 or more.

Data Privacy & Security

  • 2-23 Policy commitments
  • 2-24 Embedding policy commitments
  • 2-25 Processes to remediate negative impacts

We endeavor to protect all proprietary data and sensitive information involving our business, employees, vendors and customers from security breaches or cyber incidents. For data used both locally and internationally, we comply with all applicable regulatory and statutory requirements, including:

EU General Data Protection Regulation
The California Consumer Privacy Act
The Colorado Privacy Act
The Connecticut Data Privacy Act
The Indiana Data Privacy Act
The Iowa Data Privacy Act
The Montana Data Privacy Act
The Oregon Consumer Data Protection Act
The Tennessee Consumer Data Protection Act
The Texas Consumer Data Protection Act
The Utah Consumer Data Protection Act
The Virginia Consumer Data Protection Act
The Sarbanes-Oxley Act of 2002

A cross-functional team of representatives from information technology, information security, internal audit, legal, human resources and other business departments is responsible for data related policy development, monitoring and auditing. Our data protection tactics include document retention, multi-factor authentication and security vulnerability management. These are outlined in our Cyber Security Policy which is reviewed and updated regularly to stay ahead of the ever-changing digital security environment. Our security risk profile and security roadmap align with the Center for Internet Security’s Top 18 Critical Security Controls and the NIST framework.

We regularly engage third-party experts to assess our cybersecurity controls and vulnerabilities and upgrade our systems and controls as appropriate. We test and update our Cyber Incident Response Plan and Data Breach Response Plan annually. Each month, we track security metrics and report findings to the chief information officer and others, as appropriate. We continue to train our employees throughout the year about malware, viruses, hacking, phishing and other information security risks, including how to avoid and mitigate them and how to protect our sensitive data from failures, breaches or cyber incidents.