WESCO INTERNATIONAL INC 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

WESCO INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:34:33 EST.

Filings

10-K filed on 2025-02-14

WESCO INTERNATIONAL INC filed a 10-K at 2025-02-14 16:34:33 EST
Accession Number: 0000929008-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Information security and protection of our data is important to Wesco, our customers and suppliers. As a global company, we face various cybersecurity threats, ranging from phishing, ransomware and denial-of-service attacks to more recent threats incorporating the use of artificial intelligence. Our suppliers, third-party vendors, service providers, customers, and other business partners are also vulnerable to similar cybersecurity risks. In response to this evolving cybersecurity threat landscape, we have implemented a cybersecurity risk management program that follows a comprehensive, multi-layered approach to securing our data and business systems from attack, compromise or loss, guided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This includes the combination of leading technologies, physical and organizational safeguards, including a robust suite of security policies and procedures. We have a dedicated 24 hours per day/seven days per week Cybersecurity Operations team, with a third-party service provider, monitoring our environment for signs of attack and responding in real-time. Our implementation of a multi-layer and multi-provider portfolio of technologies is designed to deliver overlapping coverage against continually evolving cybersecurity threats with a strong defensive and response driven security posture. We evaluate risks, threats, intelligence feeds and vulnerabilities to adapt, mitigate or respond as appropriate to preserve a secure state. Additionally, we identify, assess and manage risks associated with our use of third-party service providers and other business partners and we maintain a comprehensive third-party risk management program to evaluate partners prior to onboarding, throughout the life of the relationship, and through the conclusion of the relationship. This program is designed to ensure our third-party partners adhere to Wesco’s security policies and expectations as the threat landscape and the relationship evolve. We engage third-party experts, including auditors, consultants and advisors, to evaluate and enhance our cybersecurity program through security certifications, assessments and testing. Wesco’s cybersecurity programs are reviewed as part of our information security management system (“ISMS”) by external, independent third-party auditors. We have received ISO 27001 certification for our ISMS and we undergo annual audits by an independent accreditation body to maintain this certification. We also engage third-party consultants to perform penetration and vulnerability tests at least once per quarter, as well as annual “red team” engagements that simulate cyber threats. The results of these tests and assessments are used to establish priorities, allocate resources, and improve controls. We conduct mandatory information security awareness training for all new hires and employees at least annually as well as specialized training for certain functions, such as developers, platform administrators and finance personnel. We have instituted regular phishing, social engineering and other malicious attack simulations, generally at least once per quarter, to enhance our employees’ awareness and responsiveness to such possible threats. We run several awareness campaigns each year covering a variety of topical cybersecurity subjects and we maintain an internal website that is accessible to all employees that has security policies, additional trainings, and current news events. Our security policies and trainings are regularly evaluated and updated to adapt to changing regulations and emerging cybersecurity risks. Our training program also includes expert guest speakers and additional training during cybersecurity awareness month each October. While we focus on prevention and detection, we have response and recovery plans in place, as well as service agreements and partner engagements should there be a need for us to respond to an attack. We have adopted a cybersecurity incident response plan that provides direction and a defined approach for preparing for, identifying and responding to cybersecurity incidents that may pose a potential threat to our information systems, networks and data. We review the overall incident response plan at least annually or as needed to determine what updates (if any) are necessary. The plan defines the roles and responsibilities of our IT and security teams and other functional teams that comprise the cybersecurity incident response team, as well as provides controls and procedures for timely and accurate reporting of material cybersecurity incidents. Significant cybersecurity incidents are reviewed by a cross-functional team to determine whether further escalation is appropriate. Any incident that potentially is, or may become, material is reported to senior management for materiality and disclosure determinations. We also maintain cyber liability insurance coverage. Through our enterprise risk management (“ERM”) program, we identify, assess and manage a broad range of risks across the organization. Through the ERM process, cybersecurity has been identified as an important risk facing our business. Accordingly, our cybersecurity risk management program is integrated into our overall ERM program and information about cybersecurity risks and our cybersecurity risk management program is reviewed as part of our ERM program. As of the date of this report, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially impacted us, including our business strategy, results of operations, or financial condition. However, we cannot provide assurance that we will not experience such an event moving forward and if realized, that we, or our business strategy, results of operations, or financial condition, would not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A, “Risk Factors” of this Annual Report on Form 10-K. Governance To more effectively prevent, detect and respond to information security threats, we have a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes. Our CISO has over 30 years of technology experience, including over twelve years of experience dedicated to cybersecurity. He has been in this role with Wesco since 2020 and has a total of approximately nine years of experience serving in the role of Chief Information Security Officer. The CISO reports to our Executive Vice President, Chief Information and Digital Officer (“CIDO”), who reports directly to our Chief Executive Officer. The CISO and CIDO regularly review cybersecurity matters with our Chief Executive Officer and other members of our senior management, including cybersecurity risks and threats and the status of our cybersecurity incident response plan and related processes relating to the prevention, detection, mitigation and remediation of cybersecurity incidents. As part of its oversight responsibility of cybersecurity risk and the overall enterprise risk management process, the Audit Committee of our Board of Directors meets periodically with our CISO, CIDO, and other senior leaders to receive updates on cybersecurity risks and threats (and should they arise, any material incidents), the status of initiatives to strengthen our information security systems, third-party risk assessment outcomes, cybersecurity risk metrics, management’s assessments of our security program, and compliance with disclosure requirements. The Audit Committee and senior management report any findings and recommendations, as appropriate to the full Board of Directors for consideration. Wesco’s cybersecurity program is regularly evaluated by internal and external experts with the results of those reviews reported to senior leadership and the Board of Directors. We also actively engage with strategic partners, industry groups, and intelligence and law enforcement to better understand macro trends and significant risk concerns to better inform and enhance our cybersecurity policies and procedures.

Company Information