ARROW ELECTRONICS, INC. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

ARROW ELECTRONICS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 08:00:33 EST.

Filings

10-K filed on 2025-02-11

ARROW ELECTRONICS, INC. filed a 10-K at 2025-02-11 08:00:33 EST
Accession Number: 0001558370-25-000781

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy The company maintains a multi-layered approach to cybersecurity risk management which leverages technology and human oversight. The company uses active and passive methods designed to continuously monitor information systems and assess, identify, and manage potential vulnerabilities and threats. This digital-security management process is integrated into the company’s broader enterprise risk management framework. The company utilizes active monitoring techniques (e.g., penetration testing), designed to leverage multiple sources of threat intelligence and vulnerability scanning complemented by endpoint protection and network systems. The company has a rapid-response protocol designed to investigate system alerts of potential cybersecurity threats, and the company’s incident response plan provides a structured approach to inter-departmental assessment, mitigation, and resolution of cybersecurity threats. The company conducts regular tabletop exercises to test and fortify the controls of its cybersecurity incident response program. The company maintains strategic relationships with third-party cybersecurity experts and coordinates with various law-enforcement partners, each of whom may be engaged to provide additional investigative and remediation support. The company’s senior security leadership conducts periodic, in-depth reviews with the company’s enterprise risk management team and internal and external auditors to evaluate the effectiveness of the company’s cybersecurity systems, controls, and management processes. The company conducts a security assessment for potential suppliers and service providers , which includes detailed interviews, questionnaires, and cyber-risk scoring. This process extends beyond initial engagement, with ongoing monitoring to identify emerging security risks or changes in suppliers’ risk profiles. The company describes whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect the company under the heading “Cybersecurity incidents may hurt the company’s business, damage its reputation, increase its costs, and cause losses,” included as part of the company’s risk factor disclosures in Item 1A of this Annual Report on Form 10-K. To date, the company is not aware of any cybersecurity threats or incidents that have materially affected, or are reasonably likely to materially affect, the company, including its financial condition, results of operations, or business strategies. Governance The Board of Directors of the company (the “Board”), primarily through its Audit Committee , oversees the company’s cybersecurity program. The company’s CIO and CSO regularly report to the Audit Committee on the current state of the company’s cybersecurity program (including the current threat landscape, cybersecurity risks, and any significant incidents). The Audit Committee may provide updates to the Board on the substance of these reports and any recommendations for enhancements that the Audit Committee deems appropriate. The CIO and CSO receive regular reports from the company’s cybersecurity department , both historical and real-time, about the company’s global cybersecurity status. The company believes this approach enables the CIO and CSO to monitor the company’s global security status and to identify and assess potential threats. The company has established written policies and procedures to ensure that cybersecurity incidents are immediately investigated, addressed through the coordination of various internal departments, and publicly reported (to the extent required by applicable law). The company’s security organization assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to the management team. If management determines a cybersecurity incident is material, the company’s incident response plan and its disclosure controls and procedures set forth the process for any required disclosures and require management to promptly inform the Board. Under the direction of the CIO, the CSO is responsible for global cybersecurity and business continuity, which includes security architecture, security operations, incident response, IT risk and compliance, physical security, fraud and security awareness and training. The CSO has over 20 years of security experience and holds a degree in IT and cybersecurity, along with maintaining certifications in risk, information security, data privacy, legal investigations, and audit, among other disciplines. The other members of the company’s security organization also have extensive cybersecurity, business, and technology experience and all hold certifications in their area of expertise.

Company Information