CDW Corp 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

CDW Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:05:30 EST.

Filings

10-K filed on 2024-02-26

CDW Corp filed an 10-K at 2024-02-26 16:05:30 EST
Accession Number: 0001402057-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have a dedicated team of information security professionals who leads our enterprise-wide cyber security strategy, risk management, cyber defense, software security, security monitoring and other related functions. This team is overseen by our Chief Information Security Officer ( CISO ), who reports to our Chief Technology Officer ( CTO ). The CISO has extensive background in that role at an enterprise level and has over 20 years of experience in the field of cybersecurity. Additionally, the processes overseen by our global information security team are integrated with our enterprise risk management program, including routine reporting on cyber risk through the different levels of the enterprise risk management governance structure and alignment on risk management frameworks and processes. Our information security management program is ISO 27001 certified, and we undergo routine audits by an independent, certified accreditation body to maintain this certification. Our program is designed to guide our practices which are based on relevant industry frameworks and laws. This program consists of policies, practices and procedures designed to manage material risks from cybersecurity threats, including training requirements, threat monitoring and detection and threat containment and risk assessments. Additionally, we leverage third-party firms to conduct routine external and internal penetration testing to emulate the common tactics and techniques of cyber threat actors and have processes to address identified vulnerabilities, although it may take time to mitigate or manage such vulnerabilities. We also have policies and procedures to oversee and identify the cybersecurity risks associated with our use of third-party service providers for both internal use and external use. These policies and procedures include onboarding risk assessments prior to engagement and, as appropriate based on identified risk, may include cybersecurity-related contractual terms and periodic risk assessments throughout the life cycle of the third-party relationship. Lastly, we maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business to cover certain costs related to cybersecurity incidents. We refine our cybersecurity program by staying informed on security threats, leveraging third-party cybersecurity firms and investing in enhancements to our preventive and defensive capabilities. In addition to our policies and procedures to manage and identify cybersecurity risks, we have an incident response plan designed to analyze, contain, remediate and communicate cybersecurity matters to help ensure a timely and robust response to actual or attempted incidents. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. However, we cannot provide assurance that these threats will not result in such an impact in the future. For more information regarding risks relating to information technology and cybersecurity, see Item 1A. Risk Factors. The Audit Committee is primarily responsible for overseeing our enterprise risk management process on behalf of the Board of Directors, including cybersecurity risks. The CTO and CISO regularly provide reporting on cybersecurity matters to both senior management and the Audit Committee and at least annually to the Board of Directors. This reporting includes updates on our information security strategy, key cyber risks and threats and our progress towards protecting the Company from such risks and threats, assessments of our cybersecurity program and emerging trends. Depending on the criticality of a cybersecurity incident, certain matters are required to be reported promptly to the Board of Directors, as appropriate, in accordance with our incident response plan.

Company Information