DNOW Inc. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

DNOW Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 06:12:08 EST.

Filings

10-K filed on 2025-02-18

DNOW Inc. filed a 10-K at 2025-02-18 06:12:08 EST
Accession Number: 0000950170-25-021784

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management and Strategy The Company recognizes the increasing significance of cybersecurity threats in today’s digital landscape and has implemented a cyber risk management program to identify, assess, manage, mitigate and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management program. Our approach is designed to safeguard sensitive information, protect critical assets and maintain the integrity of our operations. - Regular assessments of cyber risks, taking into account the evolving threat landscape, technological advancements and changes in our business operations. - Proactive identification and mitigation of vulnerabilities in our information systems through regular scanning, testing and patch management. - Implementing and continuously monitoring security controls, including firewalls, intrusion detection systems, encryption and access controls, to safeguard against unauthorized access and data breaches. Our controls are based on the latest Center of Internet Security (CIS) Critical Security Controls best practices for cybersecurity and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). - Regular testing of our Cyber Incident Response Plan through tabletop exercises to ensure a swift, coordinated and effective response in the event of cyber incidents to minimize impact on operations. As part of our cyber incident response process, we also engage third-party experts as needed, such as external legal advisors and cybersecurity forensic firms. Governance Our governance structure is designed to ensure effective oversight and management of cybersecurity risks: - The Board of Directors is actively engaged in overseeing cybersecurity matters, receiving regular briefings and ensuring alignment between cybersecurity strategy and overall business strategy. - A dedicated committee oversees cybersecurity governance, assessing policies, practices and risk mitigation strategies and ensuring alignment with industry best practices. - Our executive leadership team actively participates in the development and execution of cybersecurity strategy, reinforcing the importance of cybersecurity at the highest levels of the organization. - IT and Cybersecurity reports to the Chief Administrative and Information Officer (CAIO) who provides updates to the dedicated committee. Regulatory Compliance We remain committed to complying with all relevant cybersecurity regulations and standards applicable to our industry. Our governance structure is designed to adapt to evolving regulatory requirements and industry best practices. While we believe our current measures are robust, we recognize the dynamic nature of cyber threats and continually refine our approach to remain vigilant and responsive. This disclosure provides stakeholders with a comprehensive overview of the organization’s cyber risk management, strategy and governance practices, demonstrating a commitment towards proactive cybersecurity measures and compliance. No unauthorized access to customer, vendor, supplier, joint venture, employee or our data occurred as a result of cybersecurity incidents against us that has had a material adverse effect on our business, operations, or consolidated financial condition. See additional information about our cybersecurity risks under Risks Relating to Our Business in Item1(a) Risk Factors. 22

Company Information