QXO, Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

QXO, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 09:01:13 EST.

Filings

10-K filed on 2026-02-27

QXO, Inc. filed a 10-K at 2026-02-27 09:01:13 EST
Accession Number: 0001628280-26-012601

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our information security program is designed to protect and preserve the confidentiality, integrity, and availability of our information technology assets. This program is overseen by our chief information security officer (" CISO "), whose team is responsible for leading the cybersecurity strategy, policy, standards, threat detection and prevention, and incident response processes. Our CISO reports directly to our chief information officer ("CIO") on the effectiveness of our cybersecurity program and has 20 years of IT experience, including leadership roles with enterprise responsibility for IT audit, IT infrastructure, and cybersecurity. Our cybersecurity risk management system is integrated into our broader enterprise risk management ("ERM") framework. This ERM process is facilitated by a risk committee, which is comprised of senior leaders from key functional and operational areas across the company. The risk committee has separate discussions for each risk with senior-level risk owners who have firsthand knowledge of their commercial or functional area. For cybersecurity-related risks, these discussions include the CISO and other key IT leadership. Through these discussions, the risk committee develops an enterprise-wide risk profile, which it then reviews and refines with the executive leadership team before presenting it to the Board. In addition to reports to the Board on our enterprise risks, at least annually, the Audit Committee reviews with management the Company's cybersecurity assessment and risk management policies, including any significant cybersecurity or data privacy risk exposures and management's plans to monitor or mitigate them. We employ various technical controls and measures to protect against cybersecurity attacks, which align with functions identified in the National Institute of Standards and Technology Cybersecurity 2.0 Framework. These include, among other things, a cybersecurity awareness training program for all employees and frequent phishing simulations. The information security team also reviews our information security systems for unauthorized system access, cybersecurity incidents, indicators of compromise, and unusual traffic on our systems. Our CISO continuously monitors the effectiveness of our processes and controls, which drives investment decisions in our cybersecurity program. We periodically engage external subject matter experts who provide independent qualitative and quantitative assessments of the cybersecurity program maturity and response readiness. Additionally, we use processes, such as third-party risk monitoring security rating agencies, to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems. We also maintain cybersecurity insurance coverage as part of our overall insurance portfolio. As of December 31, 2025, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the headings "Risks Related to Information Technology" in this Annual Report.

Company Information