MSC INDUSTRIAL DIRECT CO INC 10-K Cybersecurity GRC - 2024-10-24

Page last updated on October 24, 2024

MSC INDUSTRIAL DIRECT CO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-24 15:33:40 EDT.

Filings

10-K filed on 2024-10-24

MSC INDUSTRIAL DIRECT CO INC filed a 10-K at 2024-10-24 15:33:40 EDT
Accession Number: 0001003078-24-000107

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have established controls for identifying, assessing and managing material risks from cybersecurity threats that could adversely affect our information systems or the information residing on those systems. These include a combination of policies, procedures, technologies and safe-guards (based on frameworks such as Cybersecurity Maturity Model Certification (“CMMC”) and Payment Card Industry (“PCI”) that are designed to prevent, detect, and mitigate data loss, theft, misuse, unauthorized access, and other security incidents or vulnerabilities affecting our systems and data, and to assess and evaluate the risk of such incidents and vulnerabilities. Additionally, we have processes in place designed to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems, including our cloud computing platforms. As part of our risk management process, we conduct application security assessments, security audits, third-party penetration testing, vulnerability assessments and ongoing risk assessments. We also maintain a variety of incident response plans that are utilized when incidents are detected. Associates of the Company complete an annual cybersecurity training program in which specific threats and scenarios are highlighted based on the cyber risk management team’s analysis of current cyber risks to the Company or as required by regulatory frameworks. Simulated phishing tests are conducted with associates on a regular basis to provide training and awareness against scams and fraudulent communications. Associates also receive ongoing communications regarding the importance of guarding against phishing, social engineering and other cyberattack vectors. In addition to our in-house cybersecurity capabilities, at times, we also engage consultants, auditors or other third parties to assist with assessing, identifying and managing cybersecurity risks. We maintain cybersecurity insurance and regularly review our policy and levels of coverage based on current risks. Our cyber management team, led by our Vice President of Information Security, is tasked with implementing and maintaining centralized cybersecurity and data protection practices in close coordination with MSC’s leadership team and 21 Table of Conte nts other teams across the Company. Our Vice President of Information Security has extensive cybersecurity knowledge and skills gained from over 25 years of work experience across multiple verticals. Reporting to our Vice President of Information Security are a number of experienced information security professionals responsible for various parts of our business, including Architecture and Engineering, Identity and Access Management, Security Operations, and Governance, Risk and Compliance programs, each of which is supported by a team of trained cybersecurity professionals. The Audit Committee of our Board of Directors (the “Audit Committee”) oversees our financial and risk management policies, including risk management policies and programs related to cybersecurity designed to monitor, mitigate and respond to cyber risks, threats, and reports. The Audit Committee receives regular reports from the Vice President of Information Security on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s cybersecurity program and the emerging cyber threat landscape. Additionally, the Audit Committee has engaged a consulting firm to serve in the role of a cybersecurity advisor to the Audit Committee. In fulfilling this role, the consultant will engage with the Vice President of Information Security and other associates of the Company to evaluate the Company’s cybersecurity maturity and advise the Audit Committee on cybersecurity gaps, best practices and industry trends on an ongoing basis. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, but we cannot provide assurance that we will not be materially affected in the future by such risks or future cybersecurity incidents. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Annual Report on Form 10-K.

Company Information