DNOW Inc. 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

DNOW Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 14:15:40 EST.

Filings

10-K filed on 2024-02-15

DNOW Inc. filed an 10-K at 2024-02-15 14:15:40 EST
Accession Number: 0000950170-24-015744

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management The Company recognizes the increasing significance of cybersecurity threats in today’s digital landscape and has implemented a cyber risk management program to identify, assess, manage, mitigate and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management program. Our approach is designed to safeguard sensitive information, protect critical assets and maintain the integrity of our operations. Our cyber risk management program includes: Regular assessments of cyber risks, taking into account the evolving threat landscape, technological advancements and changes in our business operations. Proactive identification and mitigation of vulnerabilities in our information systems through regular scanning, testing and patch management. Implementing and continuously monitoring security controls, including firewalls, intrusion detection systems, encryption and access controls, to safeguard against unauthorized access and data breaches. Our controls are based on the latest Center of Internet Security (CIS) Critical Security Controls best practices for cybersecurity and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Regular testing of our Cyber Incident Response Plan through tabletop exercises to ensure a swift, coordinated and effective response in the event of cyber incidents to minimize impact on operations. Cybersecurity Strategy Our cybersecurity strategy is aligned with our overall business objectives and includes the following key elements: Implementation of multiple layers of security controls, including firewalls, intrusion detection and prevention systems, endpoint protection and encryption, to safeguard our information assets. Ongoing education programs for employees to enhance their awareness of cyber risks and promote a culture of cybersecurity throughout the organization. Governance Our governance structure is designed to ensure effective oversight and management of cybersecurity risks: The Board of Directors is actively engaged in overseeing cybersecurity matters, receiving regular briefings and ensuring alignment between cybersecurity strategy and overall business strategy. A dedicated committee oversees cybersecurity governance, assessing policies, practices and risk mitigation strategies and ensuring alignment with industry best practices. Our executive leadership team actively participates in the development and execution of cybersecurity strategy, reinforcing the importance of cybersecurity at the highest levels of the organization. Regulatory Compliance We remain committed to complying with all relevant cybersecurity regulations and standards applicable to our industry. Our governance structure is designed to adapt to evolving regulatory requirements and industry best practices. While we believe our current measures are robust, we recognize the dynamic nature of cyber threats and continually refine our approach to remain vigilant and responsive. This disclosure provides stakeholders with a comprehensive overview of the organization’s cyber risk management, strategy and governance practices, demonstrating a commitment towards proactive cybersecurity measures and compliance. 23 No unauthorized access to customer, vendor, supplier, joint venture, employee or our data occurred as a result of cybersecurity incidents against us that has had a material adverse effect on our business, operations, or consolidated financial condition. See additional information about our cybersecurity risks under Risks Relating to Our Business in Item1(a) Risk Factors. 24

Company Information