GRACO INC 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

GRACO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 12:52:35 EST.

Filings

10-K filed on 2024-02-20

GRACO INC filed an 10-K at 2024-02-20 12:52:35 EST
Accession Number: 0000042888-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our cybersecurity program seeks to identify, assess and monitor material cybersecurity and other information technology risks and threats that may affect our information systems, networks and operations, including those systems and networks managed by third parties. We regularly assess potential risks and execute a layered cybersecurity strategy based on prevention, detection, mitigation, and remediation. The Company s cybersecurity risks are evaluated at least annually through our enterprise risk management program, which is a company-wide effort to identify, assess, manage, report and monitor material risks that may affect our ability to achieve our business objectives. To manage our cybersecurity program, we have established a cross-functional cybersecurity oversight committee and cybersecurity team, both led by our Chief Information Officer (“CIO”). Our cybersecurity oversight committee and cybersecurity team, with the support of external cyber-specialist resources, include technical experts in cybersecurity risk management, incident response and security operations with extensive experience in the operations of networks, network security and infrastructure management. In addition, members of our cybersecurity team have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. Our CIO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals on the cybersecurity management team and through the use of technological tools and software. Policies, procedures and controls under our cybersecurity program are designed in consideration of published frameworks, including the Center for Information Security (“CIS”) Critical Security Controls, and routinely evaluated for ongoing adherence to those frameworks. Our cybersecurity program includes a process for incident response and continuous improvement. We enlist outside advisors to evaluate the maturity of our cybersecurity program, review processes and policies, conduct penetration and vulnerability tests and simulation exercises, and to monitor and help identify potential cybersecurity incidents. We provide training to our employees to help identify potential cybersecurity threats and attacks through an annual cybersecurity awareness month and targeted phishing campaigns. When considering to engage with third-party service providers, we assess the risks from cybersecurity threats posed by such engagement and continue to evaluate those risks throughout the duration of the relationship. The Audit Committee of the Board of Directors oversees the Company s cybersecurity risks and strategy. Management provides regular updates to the Audit Committee on cybersecurity risks facing the Company, the systems management has in place to mitigate and manage those risks, the status of key cybersecurity initiatives through a review of the Company s cybersecurity strategic roadmap and whether any material cybersecurity incidents have occurred. The Audit Committee performs an annual review of the Company s cybersecurity program, which includes an update of the cybersecurity threat landscape, discussion of management s actions to identify and detect threats, and a review of assessments, penetration tests and other audits performed by internal and external parties. In addition, management periodically arranges for outside experts to present to the Audit Committee on cyber governance frameworks, regulatory developments, industry practices and risk management. None of the cybersecurity risks, including as a result of any prior incidents we have experienced, have had a material adverse impact on our operations, business or financial condition. 16 Table of Contents

Company Information