GRAYBAR ELECTRIC CO INC 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

GRAYBAR ELECTRIC CO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 12:26:27 EDT.

Filings

10-K filed on 2024-03-14

GRAYBAR ELECTRIC CO INC filed an 10-K at 2024-03-14 12:26:27 EDT
Accession Number: 0000205402-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybers ecurity Risk Management and Strategy We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems. The program includes: periodic risk assessments to identify and assess cybersecurity risks and vulnerabilities in our information technology systems security event monitoring, management, and incident response third party engagements to perform periodic penetration testing and reviews of program maturity based on industry standard frameworks reviews by our internal audit team of the effectiveness of information technology-related internal controls 8 cybersecurity risk assessments of our third-party vendors and employee training, including regular phishing simulations. Cybersecurity threats on our information systems are included as a topic considered by our risk committee working group. This group identifies, assesses and makes related recommendations for managing a number of risks, including cybersecurity threats. Management has also formed an enterprise risk management committee which is charged with addressing the full spectrum of its risks and managing the potential individual as well as combined impact of those risks as an interrelated risk portfolio. Moreover, this group engages subject matter experts from various departments within the Company to engage in a bi-annual exercise designed to identify potential worse case scenarios, the estimated likelihood of each, and the potential financial impact of each risk, as well as to prioritize such risks, including the risk of a cybersecurity threat. We also have a standing risk committee. The purpose of the risk committee is to oversee a sustainable dynamic process that enables enterprise-wide cross-functional analysis and assessment of risks that may threaten the Company or provide opportunities to leverage resources to create growth opportunities. Under its charter, the committee is to be comprised of at least three members of the Board, selected by the President. The committee has established a working group that is comprised of representatives from the following functional areas of the Company: treasury, human resources, legal, supply chain management, sales, and marketing. Currently, the Senior Vice President, Secretary and General Counsel, a member of the risk committee, apprises the Board quarterly of the working group and this Committee s activities. As a result of these and other initiatives, we believe we have appropriate processes in place, including in many cases, related contractual provisions, as well as appropriate physical and administrative controls, that are designed to allow oversight and identification of cybersecurity threats related to our use of third-party service providers. Governance The Audit Committee charter provides that it shall review, at least annually, the Company s cybersecurity program and shall receive frequent updates on cybersecurity and the development of Company s cyber strategy and the Company s corresponding information technology emergency response plan. Our director, information security, reports at least quarterly to the Audit Committee during its regularly scheduled meetings, and engages in weekly dialogue with the Chair of the Audit Committee and Senior Vice President, Secretary and General Counsel, including with respect to matters identified by our information technology department. Impact of Cybersecurity Events In the fourth quarter of 2023, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, materially affected or would reasonably be likely to materially affect Graybar, including our business strategy, results of operations or financial condition.

Company Information