GMS Inc. 10-K Cybersecurity GRC - 2024-06-20

Page last updated on July 16, 2024

GMS Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-20 16:46:40 EDT.


10-K filed on 2024-06-20

GMS Inc. filed a 10-K at 2024-06-20 16:46:40 EDT
Accession Number: 0001628280-24-029139

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company maintains comprehensive policies, procedures, and controls to protect the Company’s information systems and related data from cybersecurity threats and incidents. The Company’s cybersecurity program is led by its Chief Information Security Officer (“CISO”) and supervised by its Chief Information Officer (“CIO”). The Company’s cybersecurity program is a component of its overarching enterprise risk management program and interfaces with other functional areas within the Company, including, but not limited to, legal, accounting, risk management, human resources, internal audit, as well as external third-party partners, to identify, understand, and combat potential cybersecurity threats. Our cybersecurity program is aligned with three recognized control frameworks: ISO 27001; 2013, NIST SP 800 - 52; and the Center for Internet Security Top 20 Critical Security Controls. We conduct ongoing and robust testing of our systems, including penetration testing, internal and external audits, tabletop incident response exercises, and an annual Cyber Risk Assessment, the results of which are shared with the Audit Committee. We provide regular awareness training to our employees and contractors, including periodic phishing tests, to help identify, avoid, and mitigate cybersecurity threats, as well as targeted security training for key departments dealing with sensitive data types. The Company has engaged a third-party managed detection and response company to monitor the security of its information systems. The Company also maintains a cybersecurity insurance policy and has engaged a third-party incident response consultant and legal counsel. Cybersecurity Incident Response Process We maintain and actively update our Cybersecurity Incident Response Plan to triage, contain, and mitigate any issues as quickly as possible. Our Cybersecurity Incident Response Plan includes steps to analyze, and as necessary, escalate cybersecurity incidents both internally and with third-party service providers based on the type and severity of the specific incident. Our Cybersecurity Incident Response Policy ensures that our CIO, and, as appropriate, our senior management team, members of our legal staff and outside legal counsel, our disclosure committee, and members of our Audit Committee or Board of Directors are timely informed of and consulted regarding cyber incidents. Governance The Company’s Board of Directors provide ultimate oversight of the Company’s cybersecurity risk management. As reflected in the Audit Committee’s charter, the Board of Directors has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee. The CIO presents quarterly updates to the Audit Committee on the Company’s cyber risks and threats, status of projects to strengthen the Company’s information security systems, and emerging threats. The Company also engages third parties to periodically evaluate and audit aspects of the Company’s information security programs, including by conducting vulnerability assessments and penetration testing, and the results of those findings are reported to the Audit Committee and used to help identify potentially material risks and prioritize certain security initiatives. The Company does not believe that any risks from cybersecurity threats, nor any previous cybersecurity incidents, have materially affected the Company. However, the sophistication of cyber threats continues to increase, and the preventative actions the Company has taken and continues to take to reduce the risk of cyber incidents and protect its systems and information may not successfully protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors.”

Company Information

NameGMS Inc.
SIC DescriptionWholesale-Lumber & Other Construction Materials
TickerGMS - NYSE
CategoryLarge accelerated filer
Fiscal Year EndApril 29