TD SYNNEX CORP 10-K Cybersecurity GRC - 2026-01-27

Page last updated on February 4, 2026

TD SYNNEX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-01-27 16:03:34 EST.

Filings

10-K filed on 2026-01-27

TD SYNNEX CORP filed a 10-K at 2026-01-27 16:03:34 EST
Accession Number: 0001628280-26-003598

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program is designed to protect the confidentiality, integrity and availability of critical assets and information, using a proactive and risk-based approach. We utilize the National Institute of Standards and Technology ("NIST") Cybersecurity Framework as well as other globally recognized standards. The NIST framework is structured around six Core Functions (Govern, Identify, Protect, Detect, Recover and Respond) and is a comprehensive approach to information and cybersecurity risk management. Our program includes policies, practices, procedures and controls designed to manage material risks from cybersecurity threats, including training requirements, threat monitoring and detection, threat containment and risk assessments. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our company's broader overall risk assessment process. We refine our cybersecurity program by staying informed on security threats, conducting tabletop exercises to proactively identify areas for improvements, and leveraging third-party cybersecurity firms and investing in enhancements to our preventive and defensive capabilities. We utilize a third-party remediation team on retainer for assistance in investigating and addressing cybersecurity incidents or threats. We maintain procedures for screening and evaluating third-party providers prior to granting them access to our information systems. Depending on the nature of the product or service to be provided, we screen any third-parties that could present a cybersecurity risk through a cyber risk assessment, and we review third-party suppliers post-engagement to identify changes in their security risk profile, including the occurrence of cybersecurity events affecting such suppliers. Contractual and statutory provisions require third-party suppliers to inform us of cyber incidents, in most cases. Additionally, we maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business to cover certain costs related to cybersecurity incidents. While we focus on prevention and detection, we also have incident response and recovery plans in place designed to analyze, contain, remediate and communicate cybersecurity matters to help ensure a timely and robust response to actual or attempted incidents. In the event of a cybersecurity incident, our incident response process involves assessing incident severity, conducting root cause analysis, creating and implementing plans to address the incident, mobilizing appropriate resources and identifying potential remedial measures and other appropriate next steps. We also have on retainer a third-party consultant to assist us in our incident response and remediation. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected the Company, including our business strategy, results of operations or financial condition. However, we cannot provide assurance that these threats will not result in such an impact in the future. For more information regarding risks relating to information technology and cybersecurity, see " Item 1A. Risk Factors." Governance We have a team of information security professionals with expertise in the fields of cybersecurity and intelligence who lead our enterprise-wide cybersecurity strategy, risk management, cyber defense, software security, security monitoring and other related functions. This team is overseen by a Chief Information Security Officer ("CISO"), who reports to our Chief Information Officer ("CIO") and works with our Chief Legal Officer and other members of management. The Board of Directors is responsible for overseeing our enterprise risk management process, including our information security program, compliance and risk management and cybersecurity risks. The CISO and CIO regularly provides reporting on cybersecurity matters to senior management and reports to the Board of Directors on at least a semi-annual basis and to the Technology Committee of the Board of Directors on at least a quarterly basis. This reporting includes updates on our information security strategy, key cyber risks and threats, efforts at protecting the Company from such risks and threats, and assessments of our cybersecurity program with regard to emerging trends. Depending on the magnitude of a cybersecurity incident, certain matters are required to be reported promptly to the Board of Directors, as appropriate, in accordance with our security incident response plan. The Board of Directors' Technology Committee has an oversight role regarding technology-based risks and issues, including in relation to cybersecurity and other developing technologies, like generative AI. With respect to cybersecurity, the committee's role includes assisting the Board of Directors in evaluating management's role in designing, implementing and assessing our IT systems, reviewing our cyber risks and strategies as well as any significant incidents, and providing guidance regarding the Company's cybersecurity compliance obligations.

Company Information