Check the appropriate box below if the Form filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

 

 

 

 

 

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§ 230.405 of this chapter) or Rule of the Securities Exchange Act of 1934 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

 

 

 

 

 

As disclosed in the Original Form

8-K,

the Company recently experienced a cybersecurity incident affecting certain information technology systems used by the Company. The Company’s investigation revealed that a threat actor illegally accessed the Company’s information technology systems. The cybersecurity incident resulted in a temporary limitation of access to portions of the Company’s information technology applications supporting some aspects of the Company’s operations at some of the Company’s facilities, and as noted in the Original Form

8-K,

in an abundance of caution, the Company temporarily and proactively halted certain production operations at various locations. The Company’s investigation also determined that the threat actor exfiltrated limited data from the Company’s information technology systems. The Company is reviewing and evaluating the impacted data and will carry out any appropriate notifications to potentially affected parties and to regulatory agencies as required by applicable law.

Upon detecting the unauthorized access, the Company immediately took steps to contain, assess, and remediate the cybersecurity incident, including activating its incident response plan, proactively taking potentially affected systems offline, restoring affected data from backup systems, and implementing other containment, remediation, and recovery measures. The Company also engaged leading external cybersecurity experts to assist with its investigation and recovery efforts and notified federal law enforcement authorities.

Since the filing of the Original Form

8-K,

the affected production operations, and access to necessary affected information technology applications, have been restored, and the Company believes that the threat actor no longer has access to the Company’s information technology systems. As part of its remediation efforts, the Company worked with its outside cybersecurity experts to further reinforce its information technology systems and to prevent future unauthorized access.

The cybersecurity incident has not had a material impact, and is not reasonably likely to have a material impact, on the Company’s business operations, and has not had a material impact, and is not reasonably likely to have a material impact, on the Company’s financial condition or results of operations.

Certain statements made in this report, or in other public filings, press releases, or other written or oral communications made by Nucor, which are not historical facts are forward-looking statements subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. These forward-looking statements involve risks and uncertainties which we expect will or may occur in the future and may impact our business, financial condition and results of operations. The words “anticipate,” “believe,” “expect,” “intend,” “project,” “may,” “will,” “should,” “could” and similar expressions are intended to identify those forward-looking statements. These forward-looking statements reflect the Company’s best judgment based on current information, and, although we base these statements on circumstances that we believe to be reasonable when made, there can be no assurance that future events will not affect the accuracy of such forward-looking information. As such, the forward-looking statements are not guarantees of future performance, and actual results may vary materially from the projected results and expectations discussed in this report. Factors that might cause the Company’s actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to: the Company’s ongoing assessment of the impacts of the cybersecurity incident, including the Company’s potential discovery of additional information related to the incident in connection with its investigation or otherwise; the Company’s expectations regarding its ability to contain and remediate the cybersecurity incident; the impact of the cybersecurity incident on the Company’s relationships with customers, employees, and governmental regulators; the legal, reputational, and financial risks resulting from the cybersecurity incident, including as may arise from any potential regulatory inquiries and/or litigation to which the Company may become subject in connection with the incident; remediation and other additional costs that may be incurred by the Company in connection with the investigation and remediation of the incident; and the risks discussed in “Item 1A. Risk Factors” of the Company’s Annual Report on Form for the year ended December 31, 2024, as may be supplemented by “Item 1A. Risk Factors” in the Company’s subsequent Quarterly Reports on Form and in the Company’s other periodic and current reports filed with the SEC.

 

1

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

 

 

2