RPM builds trust with our associates, customers and other stakeholders by understanding the importance of securing the data with which we are entrusted, complying with data protection laws and recognizing applicable data-related rights afforded to individuals. 

Our Information Security Program is designed to protect and preserve the confidentiality, integrity and continued availability of all information we own or have in our care. The program is led by our Senior Director – Information Security, in coordination with other members of our Information Technology (IT) executive leadership. IT executive leadership and our Legal and Compliance department are responsible for defining our strategy and managing our internal approach to cybersecurity and data privacy governance.

Our Senior Director – Information Security provides the Audit Committee of our Board of Directors with quarterly updates on data security controls, incidents, reviews, protocols, training and remediation processes. Additionally, at least once per year, the Senior Director – Information Security will present to the Board of Directors an Information Security update focusing on current status, current projects and future state. Our Chief Audit Executive also provides the Audit Committee with quarterly and annual reports regarding our data security compliance and internal controls audits. A corporate compliance and hotline report is also provided at each Audit Committee meeting.  

We regularly test our data security controls for reliability and compliance, and we employ auditors focused on data governance, security and related compliance to assess our controls, systems and policies. In addition to our internal testing, we use third-party consultants to review our systems, including external penetration testing, and to provide insight on new and evolving threats as well as specialized advice on how best to mitigate those threats.

RPM is committed to complying with all applicable data protection laws and respecting the privacy rights afforded to individuals in the jurisdictions in which we operate. Our Privacy Policy outlines the ways we collect, use, share or otherwise process the personal data of our customers, end users and other third parties. An accompanying Privacy Notice informs users of their rights, as well as how to contact us with questions or concerns about their information or our data practices. 

We also have internal data privacy policies that describe the ways we collect, use, share or otherwise process the personal data of our associates and the rights that may be afforded to them under applicable law. In FY25, we updated these policies and added a Website Privacy Policy, which includes details on how our systems collect and store cookies, share data and support individual rights related to the processing of personal information. We also use a range of operational and technological safeguards designed to prevent unauthorized access to and disclosure of personal information. 

Associates receive training on data privacy, including how to identify and appropriately handle personal information. As required by our internal Global Data Protection Policy, projects, processes and tools that involve sensitive personal data or high-risk processing are reviewed for legal compliance and to ensure privacy-by-design concepts are incorporated where appropriate. RPM has processes in place to respond to data requests and other relevant personal data-related questions and concerns.

Our Information Security team provides associates across the organization with regular training and resources that highlight potential cyber threats, concerns and ways to avoid digital incidents. For example, we conduct monthly phishing tests for employees. 

We require that all data incidents are immediately reported to our Legal and Compliance department via our Reportable Events portal. These are investigated by the Legal and Compliance, and Information Security teams to ensure that any resulting risks are appropriately identified and remediated according to RPM’s cybersecurity and data privacy escalation procedures.