W.W. GRAINGER, INC. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

W.W. GRAINGER, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:44:48 EST.

Filings

10-K filed on 2025-02-20

W.W. GRAINGER, INC. filed a 10-K at 2025-02-20 16:44:48 EST
Accession Number: 0000277135-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity Risk Management and Strategy Grainger has a dedicated cybersecurity team that works to prevent, detect, and respond to cybersecurity threats. The cybersecurity team is led by the Vice President and Chief Information Security Officer (CISO) , who is responsible for assessing and managing material risks from cybersecurity threats. Grainger’s CISO has over 20 years of cybersecurity experience and maintains industry recognized security certifications. The cybersecurity team has implemented processes designed to assess, identify and manage material risks from cybersecurity threats and vulnerabilities to the Company’s security posture, including prioritizing and remediating such risks. The team also works to assess and manage cybersecurity risks by: (i) reviewing risks from cybersecurity threats with senior management; (ii) incorporating cybersecurity in its enterprise risk processes; (iii) establishing regular reviews of cybersecurity risks and mitigation efforts, including with the Audit Committee and the Board; and (iv) using third parties as needed for reviews and testing. Grainger regularly identifies its enterprise risks. Grainger’s cybersecurity team reviews and updates its information security strategy and aligns plans based on cybersecurity prioritization with the identified top enterprise risks. Grainger engages with third parties in order to enhance, implement, assess and monitor its cybersecurity processes, controls, and posture. Grainger has developed a cybersecurity risk intake process to facilitate the identification of cybersecurity risks, including those related to third-party vendors. Identified risks are tracked by management, and incorporated into mitigation plans. Grainger has been subject to unauthorized access of systems on which certain supplier, customer, and team member information was stored, which have been deemed immaterial to our business and operations individually and in the aggregate. As of the date of this filing, Grainger does not believe that any risks from cybersecurity threats, including as a result of past cybersecurity incidents, have had, or are reasonably likely to have, a material adverse effect on Grainger, including its business strategy, results of operations or financial condition. However, Grainger, or third-party service providers engaged by Grainger, may be subject to cybersecurity incidents, or other unauthorized access of information systems in the future. There can be no assurance that any future cybersecurity incident or unauthorized access to or breach of these information systems will not be material to Grainger’s business, strategy, results of operations or financial condition. See Part I, Item 1A: Risk Factors of this Form 10-K. Governance The Audit Committee assists the Board in its oversight of the Company’s Enterprise Risk Management (ERM) program and processes, including with respect to cybersecurity. As part of its ERM oversight, the Board oversees and regularly reviews the Company’s programs and processes for cybersecurity risks, including the Company’s framework for preventing, detecting, and addressing cybersecurity incidents and identifying emerging risks both broadly and within related industries. The Company’s CISO routinely provides material cybersecurity updates to the Audit Committee and information to the Board . 23

Company Information