TD SYNNEX CORP 10-K Cybersecurity GRC - 2025-01-24

Page last updated on January 24, 2025

TD SYNNEX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-24 16:01:43 EST.

Filings

10-K filed on 2025-01-24

TD SYNNEX CORP filed a 10-K at 2025-01-24 16:01:43 EST
Accession Number: 0001177394-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program is designed to protect the confidentiality, integrity and availability of critical assets and information, using a proactive and risk-based approach. We utilize the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as well as other globally recognized standards. The NIST framework is structured around six Core Functions (Govern, Identify, Protect, Detect, Recover and Respond) and is a comprehensive approach to information and cybersecurity risk management. Our program includes policies, practices, procedures and controls designed to manage material risks from cybersecurity threats, including training requirements, threat monitoring and detection, threat containment and risk assessments. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our company’s broader overall risk assessment process. We refine our cybersecurity program by staying informed on security threats, conducting tabletop exercises to proactively identify areas for improvements, and leveraging third-party cybersecurity firms and investing in enhancements to our preventive and defensive capabilities. We utilize a third-party remediation team on retainer for assistance in investigating and addressing cybersecurity incidents or threats. We maintain procedures for screening and evaluating third-party providers prior to granting them access to our information systems. Depending on the nature of the product or service to be provided, we screen any third-parties that could present a cybersecurity risk through a cyber risk assessment, and we review third-party suppliers post-engagement to identify changes in their security risk profile, including the occurrence of cybersecurity events affecting such suppliers. Contractual and statutory provisions require third-party suppliers to inform us of cyber incidents, in most cases. Additionally, we maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business to cover certain costs related to cybersecurity incidents. While we focus on prevention and detection, we also have incident response and recovery plans in place designed to analyze, contain, remediate and communicate cybersecurity matters to help ensure a timely and robust response to actual or attempted incidents. In the event of a cybersecurity incident, our incident response process involves assessing incident severity, conducting root cause analysis, creating and implementing plans to address the incident, mobilizing appropriate resources and identifying potential remedial measures and other appropriate next steps. We also have on retainer a third-party consultant to assist us in our incident response and remediation. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected the Company, including our business strategy, results of operations or financial condition. However, we cannot provide assurance that these threats will not result in such an impact in the future. For more information regarding risks relating to information technology and cybersecurity, see " Item 1A. Risk Factors." Governance We have a team of information security professionals who lead our enterprise-wide cybersecurity strategy, risk management, cyber defense, software security, security monitoring and other related functions. This team is overseen by our Chief Information Security Officer (“CISO”), who reports to our Chief Information Officer (“CIO”) and works with our Chief Legal Officer. Our CISO has over 30 years of experience in the fields of cybersecurity and intelligence with the Department of Defense, the defense contracting community and with publicly traded companies, and holds various technical credentials in the field, including a CIO Program Certificate from the College of Information and Cyberspace, National Defense University, and maintains a Certified Information System Security Professional (“CISSP”) designation as well as a Certified Information Privacy Professional (“CIPP”) designation. The Board of Directors is responsible for overseeing our enterprise risk management process, including our information security program, compliance and risk management and cybersecurity risks. The CISO regularly provides reporting on cybersecurity matters to senior management and reports to the Board of Directors on at least a semi-annual basis and, going forward, to the newly formed Technology Committee of the Board of Directors on at least a quarterly basis. This reporting includes updates on our information security strategy, key cyber risks and threats, progress towards protecting the Company from such risks and threats, and assessments of our cybersecurity program with regard to emerging trends. Depending on the magnitude of a cybersecurity incident, certain matters are required to be reported promptly to the Board of Directors, as appropriate, in accordance with our security incident response plan. The Board of Directors is in the process of creating a Technology Committee to have an oversight role regarding technology-based issues, including in relation to cybersecurity and generative artificial intelligence. With respect to cybersecurity, the committee’s role may include assisting the Board of Directors in evaluating management’s role in preparing, presenting and assessing our IT systems, reviewing our cyber risks and strategies as well as any significant incidents, and providing guidance regarding the Company’s cybersecurity compliance obligations.

Company Information