PATTERSON COMPANIES, INC. 10-K Cybersecurity GRC - 2024-06-18

Page last updated on July 16, 2024

PATTERSON COMPANIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-18 14:13:57 EDT.

Filings

10-K filed on 2024-06-18

PATTERSON COMPANIES, INC. filed a 10-K at 2024-06-18 14:13:57 EDT
Accession Number: 0000891024-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk management and strategy Our processes for assessing, identifying, and managing material risks from cybersecurity threats are incorporated into our overall enterprise risk management framework. We take a cross-functional approach to cybersecurity risk, which includes input from information security, information technology, legal, compliance, internal audit, finance, and operations, as appropriate. Under the oversight of our Board, including its Audit and Finance Committee, our senior management, information security team, and our Cybersecurity Risk Committee (comprised of key executive and senior leaders from primary corporate functions) devote resources to cybersecurity and implement risk management processes designed to adapt to the changing cybersecurity landscape, respond to emerging threats and proactively coordinate our people, processes and procedures to respond to cybersecurity incidents. We regularly assess the threat landscape and cybersecurity risks. Our internal audit team reviews enterprise risk management-level cybersecurity risks as part of our overall enterprise risk management framework. In addition, our information security team oversees regular monitoring of our information technology and other operating systems that are designed to detect potential security incidents. We have operationalized a written incident response plan designed to assess, identify and coordinate among various functions the response activities to cyber incidents and determine the impact of any such cybersecurity incidents that may jeopardize the confidentiality, integrity or availability of our information systems or adversely affect our business and information systems. In the event of a significant cybersecurity incident, the incident response plan provides guidance on roles, responsibilities, procedures and reporting processes. Depending on the environment and system, we have implemented a number of measures and policies designed to enhance the security and resiliency of our network, information and data systems, including but not limited to: encryption standards; antivirus protection; remote access; multifactor authentication; treatment of confidential information and the use of the internet, artificial intelligence, social media, email and wireless devices; user access control management; intrusion monitoring systems; information security continuity measures, including redundant systems and information backups; network segmentation; encryption of certain data; event logging; and implementation of an application patching and update cadence. These measures and policies go through an internal review process and are approved by appropriate members of management. We have performed simulations and tabletop exercises at a management level. Our employees are required to complete cybersecurity training at least once every year and have access to more frequent cybersecurity trainings online. We also require certain employees to complete additional role-based cybersecurity trainings. Our information security team regularly monitors for potential cybersecurity incidents and we have processes in place designed to escalate within the company more serious incidents, as appropriate. We use consultants and other third parties to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, cybersecurity software providers, managed cybersecurity service providers, professional cybersecurity advisors, and penetration testing firms. Depending on the nature of the services provided, the sensitivity of the systems and data at issue, and the identity of the service provider, we take various measures designed to help manage cybersecurity risk associated with our use of third-party service providers, which may include due diligence; monitoring of cybersecurity threat risks identified through such diligence in connection with our use of third-party service providers; and imposing certain contractual obligations. While we face a number of cybersecurity risks in connection with our business and from time to time we have had to address non-material security incidents and expect to experience security incidents in the future, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For more information about the cybersecurity risks we face that may materially affect the Company, see the risk factor entitled “Risks generally associated with information systems, software products and cybersecurity attacks could adversely affect our results of operations” in Item 1A - Risk Factors. Governance Our Chief Information Security Officer (CISO) is responsible for developing and implementing our cybersecurity risk management and information security program, including regularly reporting on cybersecurity matters to management and the Audit and Finance Committee. He has a Bachelor of Science degree in Information Technology from Saint Mary’s University of Minnesota and over 25 years of experience covering a wide range of enterprise IT and Information Security programs for large, global corporations. He also has multiple industry certifications, including as a Certified Information Systems Security Professional (CISSP), and participates in various security leadership forums and committees. Our CISO has led our cybersecurity program since joining our company in 2018, and was recently promoted to CISO from Senior Director, Information Security. Our CISO reports to our Chief Information Officer (CIO), who has held that role for 7 years and oversees our broader information technology program. He has over 30 years of information technology experience, including over 20 years in leadership roles. Among other matters, our Board delegates to our Audit and Finance Committee the oversight of our programs, policies, and procedures related to cybersecurity, information asset security, and network security. Broad oversight is maintained by our full Board, which receives regular reports from the Audit and Finance Committee as well as management, as appropriate. The Audit and Finance Committee and the full Board actively participate in discussions with management and among themselves regarding cybersecurity risk. Our CIO and CISO present to the Audit and Finance Committee at least a bi-annual review of our strategies, policies and internal controls relating to information technology and cybersecurity (including network security, cloud security and physical security), with respect to corporate goals, industry trends and competitive advantages. To aid the Board with its cybersecurity oversight responsibilities, the Board also receives regular presentations on these topics. Our incident response plan is designed to escalate certain cybersecurity incidents, from our information security team and CISO, through our Chief Legal Officer and CIO, to our Audit and Finance Committee, depending on the impact of the incident.

Company Information