FASTENAL CO 10-K Cybersecurity GRC - 2024-02-06

Page last updated on April 11, 2024

FASTENAL CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-06 12:35:41 EST.

Filings

10-K filed on 2024-02-06

FASTENAL CO filed an 10-K at 2024-02-06 12:35:41 EST
Accession Number: 0000815556-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have established processes and procedures for ensuring the confidentiality, integrity, and availability of data. These processes are in place to assess, identify, and manage material risks from cybersecurity threats. Annual risk assessments are performed and incorporated as part of our Enterprise Risk Management (ERM) organizational process, which is overseen by our Board of Directors (the Board) and the Audit Committee, along with Executive Leadership. Our information security management system (ISMS) program is aligned to ISO 27001, which is an international standard to manage information security. ISO 27001 is published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary standards, and the International Electrotechnical Commission (IEC). Our information technology (IT) security department, led by our Senior Vice President (SVP) IT Infrastructure & Security, is tasked with monitoring cybersecurity and operational risks related to information security and system disruption. The team employs measures designed to protect against, detect, and respond to cybersecurity threats, and has implemented processes and procedures aligned with our information security management system to support and promote resilient programs. This includes: Enterprise security framework and cyber security standards; Cyber security awareness and training plans; Security assessments and monitoring; Restricted physical access to critical areas, servers, and network equipment; Incident response, crisis management, business continuity, and disaster recovery plans; and Third-party IT vendor risk management process to identify, assess, and manage risks presented by our IT vendors and business partners. Our IT security department maintains a playbook to respond to potential cybersecurity threats. We conduct tabletop exercises for tactical response readiness, perform regular security scans of our environment both from an external and internal perspective, as well as work with a qualified third-party vendor to perform penetration tests of our environment. Any identified risks are included in our overall risk management program, and internal and external auditors validate our IT controls on a regular basis. We conduct organization-wide cybersecurity training and compliance exercises in connection with our information security program. This training consists of educational material and compliance testing administered to all of our employees, which is tracked and recorded throughout the year. Results and progress are shared with Executive Leadership, the Audit Committee, and the Board. Employee phishing tests are conducted on a regular basis. Employees who do not follow protocol are redirected for additional training. We have implemented an IT vendor risk management policy that provides guidance in managing risks associated with IT vendors and business partners. We have also established a third-party risk management program and conduct pre-onboarding security assessments and annual re-assessments of our service providers to collect, track, and manage third-party security controls based upon the risk presented to the business. Any issues identified during assessment are tracked through to remediation. Governance Our Board of Directors and Audit Committee are actively engaged in the oversight of our risk management, including cybersecurity risk. The Audit Committee receives quarterly reports on information security from our SVP IT Infrastructure & Security. Additionally, Executive Leadership is briefed on information security at least quarterly by members of our IT security, compliance, governance, and audit teams. The Audit Committee of the Board is responsible for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposures. Our IT security department, which assesses and manages our risks from cybersecurity threats, is led by our SVP IT Infrastructure & Security, who reports to our Senior EVP IT. Additional oversight for assessing and managing cybersecurity risk include Executive sponsors, Information Technology, Human Resources, IT Governance Risk and Compliance, Internal Audit, and Legal, as well as members of our Information Security Risk Council, IT Risk Committee, and Enterprise Risk Management teams. We have in place an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents. The Information Security Risk Council, Executive Leadership, the Audit Committee, and the Board are notified of any material cybersecurity incidents through an established escalation process. Additionally, we maintain a qualified third-party vendor relationship which is available to the team for on-demand incident response and investigation, as needed. 23 Table of Contents The IT security department team members have degrees applicable to cybersecurity, including Bachelors in Information Systems, Computer Science, Management Information Systems and/or Masters in Cybersecurity, and hold professional certifications, including Certified Information Systems Security Professional, Offensive Security Certified Professional, Global Information Assurance Certification (GIAC) Defensible Security Architecture, GIAC Forensic Examiner, GIAC Incident Handling, and GIAC Open Source Intelligence. Our SVP IT Infrastructure & Security holds a Cybersecurity and Privacy Law Certificate from Mitchell Hamline School of Law, and has 28 years of experience in systems, network, and database administration. Additionally, our Senior IT security department manager is an Offensive Security Certified Professional, and holds GIAC Security Leadership (GSLC), with over 25 years of experience in network performance, availability, and protection. Impact of Cybersecurity Threats There have been no previous cybersecurity incidents which have materially affected us to date, including our business strategy, results of operations or financial condition. However, any future potential risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition. 24 Table of Contents

Company Information