GLOBAL INDUSTRIAL Co 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

GLOBAL INDUSTRIAL Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 16:56:42 EDT.

Filings

10-K filed on 2024-03-12

GLOBAL INDUSTRIAL Co filed an 10-K at 2024-03-12 16:56:42 EDT
Accession Number: 0000945114-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the standardized framework established by the National Institute of Standards and Technology ( NIST ), the International Organization for Standardization and other applicable industry standards. The NIST Cybersecurity Framework ( NIST CSF ) helps the Company prioritize its cybersecurity activities and take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect the Company s operations, finances, legal or regulatory compliance, or reputation. We rely on a cybersecurity team that works to identify, protect against, detect, respond to, and recover from cybersecurity threats and incidents through risk management and strategy. Our cybersecurity team has adopted procedures to promptly address material risks to the Company s cybersecurity environment, with a triage and remediation protocol in place. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and employee training, education, and awareness initiatives. As part of our cybersecurity defense structure, our internal cybersecurity team performs the following actions, without exclusion: (i) tracking cybersecurity risks, threats and incidents to help identify and analyze them (ii) promptly reporting significant cybersecurity risks, threats and incidents to our CIO and (iii) utilizing third-party vendors and software for review, testing, preemption and monitoring of cybersecurity risks, threats and incidents. In addition, our CIO closely monitors the cybersecurity team s approach with regular reviews of security risks and vulnerabilities, security strategy and the implementation of mitigation plans and technology, and reports quarterly to our Audit 19 Table of Contents Committee and Board of Directors on, among other things, threats, mitigation measures, and preventative procedures and software. We have a robust cybersecurity training and awareness program that requires all employees to complete mandatory cybersecurity awareness, information handling, and privacy training at the time of onboarding and on an annual basis thereafter. In addition, we regularly test our employees compliance with best practices using various techniques, such as simulated phishing campaigns, to validate the efficacy of our cybersecurity training. We have implemented solutions, processes, and procedures to help mitigate the risk of cyberattacks, such as conducting annual vulnerability testing, and periodically engaging third-party experts to assist us with tasks such as implementing our incident response plan and conducting tabletop exercises. The Company tracks key performance indicators and cybersecurity metrics to evaluate the efficacy of its cybersecurity controls and practices. Furthermore, the Company s cybersecurity program is periodically reviewed and adjusted in an effort to maintain the program s agility and responsiveness as circumstances evolve, new cybersecurity threats emerge, and regulations change. As are other businesses, from time to time, we have experienced efforts by unknown persons, including bots , to access or breach our information systems, which have been prevented based on measures put in place by the Company. However, there can be no assurance we will be able to protect sensitive data and/or the integrity of the Company’s information systems and to defend against such efforts in the future. See Item 1A. Risk Factors of this Form 10-K. Governance As the head of our cybersecurity team, our CIO reports quarterly on cybersecurity to our Audit Committee, which has primary responsibility for cybersecurity oversight, and also to our full Board and regularly reports to the Chief Executive Officer on such cybersecurity matters. Cybersecurity risk is assessed and tracked as a significant risk faced by the Company and is closely managed along key risk indicators covering security maturity, risk exposure, and security operations. Performance against these indicators is regularly measured and discussed, among other things, in our Board reporting. The members of our cybersecurity team have risk management backgrounds, certifications, and/or cyber experience in prior professional roles and at the Company. The team maintains expertise on cyber risk management through certified security professionals on staff, external training and affiliations with relevant organizations. Additionally, we regularly engage with third party assessors, consultants, and advisors as needed for reviews and testing of our cybersecurity risk management systems. We have established a comprehensive incident response and recovery plan to identify, protect, respond to and recover from cybersecurity threats and incidents. The plan includes processes for the activation of the crisis management team (comprised of the Company s Chief Executive Officer, Chief Financial Officer and General Counsel), incident handling, and prompt and fulsome reporting to the Board upon discovery of a breach that could reasonably be material upon further investigation. Our procedures require reporting up the chain of command, even while materiality assessments are still being determined. In addition, we have pre-negotiated contracts with external third-party incident response providers to guide and assist the internal crisis management team as needed.

Company Information