Ferguson Enterprises Inc. /DE/ 10-K Cybersecurity GRC - 2024-09-25

Page last updated on September 26, 2024

Ferguson Enterprises Inc. /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-25 16:21:22 EDT.

Filings

10-K filed on 2024-09-25

Ferguson Enterprises Inc. /DE/ filed a 10-K at 2024-09-25 16:21:22 EDT
Accession Number: 0002011641-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We maintain a strategic plan to protect our information and to manage and mitigate emerging cybersecurity threats. Our cybersecurity team, led by our Chief Information Security Officer (“CISO”), oversees our cybersecurity efforts on a day-to-day basis. Our cybersecurity team, in partnership with third parties, designs, implements and operates our data security and cybersecurity programs, risk assessments, monitoring procedures, and training programs for our associates. Cybersecurity risk management is integrated into our overall enterprise risk management program (“ERM Program”) and our cybersecurity, legal, infrastructure, privacy and other cross-functional teams work together to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Cybersecurity risk management is also integrated into our broader risk management framework through information technology general controls that are independently tested by our Internal Audit team and the findings reported to the Audit Committee. As part of our cybersecurity risk management and strategy, the Company invests in processes, resources and incremental technical defenses to help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. We have enterprise-level compliance processes, policies and insurance coverage in place, including related to data protection and cybersecurity. We utilize the ISO 27001:2022 information security standard to drive our risk assessment and to identify and prioritize technology and process investments. Additionally, Ferguson maintains a Security Operations Center (“SOC”) with enterprise event visibility. The Company maintains a Cybersecurity Incident Response Plan (“CIRP”) that establishes a foundation for capture, containment, escalation, and response to cybersecurity events across the Company. The CIRP details how the Company, including the SOC and cybersecurity team, prioritize and respond to cybersecurity events and incidents, including when and how incidents are escalated to key members of management who in turn determine whether further escalation to the Audit Committee or Board is appropriate. The CIRP also includes actions designed to enhance processes and responsiveness to address and prevent future incidents. Ferguson invests in associate training and education to prevent cyber attacks, including customized, role-based training provided to targeted internal audiences. In addition, we conduct periodic awareness campaigns and regular phishing email simulation tests to reinforce prior training and promote ongoing awareness of risks. We also periodically conduct tabletop exercises with management and other associates to practice cyber incident response and to improve our processes and strategies. In addition, Ferguson regularly engages with independent third-party partners, including cybersecurity assessors, consultants, and auditors, to assess and consult on our cybersecurity capabilities, prioritize areas of risk and assist with execution of our risk management systems and strategic plans. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. To mitigate data or security incidents that may originate from third-party suppliers, we have a third-party risk management program that works to classify service provider or business partner risk based on several factors, including but not limited to data type accessed and/or retained. Using a risk-based approach, we perform diligence and security risk assessments for certain vendors and service providers, including appropriate obligations in our contractual arrangements where applicable. 25 As of the date of this Annual Report, cybersecurity incidents and risks, separately or in aggregate, have not materially affected our business strategy, results of operations, and financial condition. However, we face ongoing risks from cybersecurity threats and there can be no assurance that our security efforts and measures, and those of our third-party vendors, will prevent breakdowns or incidents to our or our third-party vendors’ systems that could adversely affect our business. See “Risk Factors-If we are unable to protect our sensitive data and information systems against data corruption, cybersecurity incidents or network security breaches, or if we are unable to provide adequate security in the electronic transmission of sensitive data, it could adversely affect our business, financial condition and results of operations” and “-A failure of a key information technology system or process could adversely affect the operations of our business” in Item 1A of this Annual Report for more information on our cybersecurity-related risks. Governance Role of the Board Our Board is ultimately responsible for the risk oversight of the Company, including risks from cybersecurity threats. The Board has delegated to the Audit Committee responsibility for monitoring the overall adequacy and effectiveness of the ERM Program, and the Audit Committee is specifically charged with discussing the Company’s cybersecurity risk exposures and the steps management has taken to monitor and control these exposures. The Board and/or the Audit Committee receives periodic reports, briefings and presentations on data protection and cybersecurity matters from senior information technology leaders, including our Chief Digital and Information Officer (“CDIO”) and CISO, as well as from our Internal Audit team. In addition, our Chief Legal Officer provides reports on the ERM Program. Periodically, our Board receives reports and/or presentations on cybersecurity matters prepared by third-party cybersecurity experts. In addition to these Board and Audit Committee updates, our CIRP provides that significant developments or incidents, even if immaterial to the Company, will be reviewed regularly by a cross-functional team to determine whether further escalation to the Audit Committee or Board is appropriate, enabling Audit Committee and Board oversight that is timely and responsive. Role of Management Pursuant to our ERM Program charter, our Executive Committee is responsible for assessing and managing the Company’s exposure to enterprise risks. The Executive Committee is composed of the CEO and his direct reports, including the CDIO. Our CISO and the cybersecurity teams are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity threats. They receive information regarding cybersecurity incidents and threats from the SOC and through internal escalation procedures detailed in the CIRP. The CISO then provides periodic reports to the Executive Committee, including reporting on significant cybersecurity incidents and resulting remedial actions, the cybersecurity team’s strategic plan, the results of associate trainings, and any other notable cybersecurity matters. Our CISO has 25 years of industry experience, including in developing and leading cybersecurity risk management programs for Fortune 100 companies. Additionally, our CISO and members of the cybersecurity team hold a number of industry recognized certifications, such as Certified Information Systems Security Professional, Payment Card Industry Data Security Standard Internal Security Assessor, Certified Information Security Manager, Certified in Risk and Information Systems control, and Certified Ethical Hacker, among others. 26

Company Information