POOL CORP 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

POOL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:06:01 EST.

Filings

10-K filed on 2025-02-27

POOL CORP filed a 10-K at 2025-02-27 17:06:01 EST
Accession Number: 0000945841-25-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program, which is primarily documented in our business interruption and incident response policy, is designed to assess, identify and manage material risks from cybersecurity threats. Our program leverages components from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which we use to help us identify, assess and manage cybersecurity risks relevant to our business. O ur cybersecurity program is a component of our overall enterprise risk program. We deploy multiple strategies and dedicate significant resources toward systems designed to identify, assess, manage, mitigate and respond to cybersecurity threats. We also consistently strive to improve the detection and response capabilities of our cybersecurity program. To do this, we monitor best practices across the cybersecurity space and endeavor to incorporate those in our own cybersecurity program. Our cybersecurity policies and procedures include the controls and technology we use to identify, assess and respond to cybersecurity threats and incidents. These policies and procedures also focus on identifying vulnerabilities in our internal and external environments and remediating those vulnerabilities. To combat cybersecurity risk, we focus on proactive procedures such as patch management and emphasize the importance of cybersecurity across our organization through quarterly trainings, which include best practices and participation in simulated phishing exercises to strengthen employee vigilance. We evaluate our controls and response protocols at least twice a year using external third-party assessors and consultants in both advisory and adversarial engagements. These third-party experts are familiar with our systems and could be retained in the event of a significant incident to assist us in evaluating and responding to such an incident. We also regularly test our environment as part of our focus on identifying and eliminating vulnerabilities. We incorporate the lessons learned from these engagements into our cybersecurity program. Recognizing the risks posed by external partners, we have implemented a third-party risk management program, which includes due diligence assessments, contractual safeguards, and regular monitoring of vendors and partners with access to our systems or data; however, we cannot ensure in all circumstances that their defensive efforts will be successful. Like most large organizations, we face constant and dynamic risks related to cybersecurity. In recent years we have faced, and expect to continue to face, various attempted cyber-attacks of increasing sophistication. To date, we are not aware of any cybersecurity incident or threat that materially impacted or could reasonably be anticipated to materially affect our business, results of operations or financial condition. However, we cannot guarantee that we will not experience such an incident in the future. For a further description of these risks, see “Risk Factors - Risks Relating to Technology, Cybersecurity and Data Privacy,” included in Item 1A of this Form 10-K, which should be read in conjunction with this Item 1C. Governance Our Board of Directors (Board) is responsible for oversight of our risk management programs and assisting management in addressing specific risks, including cybersecurity risks. The Audit Committee assists our Board in reviewing cybersecurity and other information technology risks, controls and procedures, including our plans to mitigate cybersecurity risks and to respond to data breaches. The Audit Committee also helps in reviewing with management any specific cybersecurity issues that could have a material impact on us. Our Chief Information Officer (CIO) provides the Board with updates on cybersecurity risks at regularly scheduled board meetings at least twice a year. These updates include the results of any third-party reviews and related remediation items. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CIO , who has held that role since 2019 and has been employed by the company since 2004. With almost 20 years of experience in cybersecurity, our CIO has extensive cybersecurity expertise and in-depth knowledge and experience instrumental in developing and executing our cybersecurity strategies. Our CIO oversees our cyber governance programs, evaluates our compliance with applicable standards and remediates known risks. Our CIO also oversees our internal phishing tests, leads our employee cyber training program and seeks to promote company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives. At the day-to-day operational level, our CIO manages an information security team tasked with executing our cybersecurity program. This team includes a director of network security, technical director of enterprise architecture, system architects and network security staff. Members of our information technology (IT) management group, led by our CIO, have extensive years of combined experience in defending large, complex corporate environments. Our CIO, IT management group, architects and network security team members receive briefings and annual training on cybersecurity threats and response methods that provide real world threat scenarios to measure the effectiveness of our programs and technologies in protecting our systems. Our team of professionals also monitors our compliance with laws governing privacy rights, data protection and cybersecurity. 21 Our incident response policy outlines our protocols for assessing, managing and responding to cyber incidents. This policy guides the response of our global IT team, which, depending on the significance of the incident, may include escalating the issue to executive management, notifying one or more members of our Board, maintaining communication with users and notifying law enforcement and other agencies if warranted. We may also receive assistance from a third-party security operations center (SOC) and other industry-leading third-party providers. 22
Item 1C. Governance Our Board of Directors (Board) is responsible for oversight of our risk management programs and assisting management in addressing specific risks, including cybersecurity risks. The Audit Committee assists our Board in reviewing cybersecurity and other information technology risks, controls and procedures, including our plans to mitigate cybersecurity risks and to respond to data breaches. The Audit Committee also helps in reviewing with management any specific cybersecurity issues that could have a material impact on us. Our Chief Information Officer (CIO) provides the Board with updates on cybersecurity risks at regularly scheduled board meetings at least twice a year. These updates include the results of any third-party reviews and related remediation items. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CIO , who has held that role since 2019 and has been employed by the company since 2004. With almost 20 years of experience in cybersecurity, our CIO has extensive cybersecurity expertise and in-depth knowledge and experience instrumental in developing and executing our cybersecurity strategies. Our CIO oversees our cyber governance programs, evaluates our compliance with applicable standards and remediates known risks. Our CIO also oversees our internal phishing tests, leads our employee cyber training program and seeks to promote company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives. At the day-to-day operational level, our CIO manages an information security team tasked with executing our cybersecurity program. This team includes a director of network security, technical director of enterprise architecture, system architects and network security staff. Members of our information technology (IT) management group, led by our CIO, have extensive years of combined experience in defending large, complex corporate environments. Our CIO, IT management group, architects and network security team members receive briefings and annual training on cybersecurity threats and response methods that provide real world threat scenarios to measure the effectiveness of our programs and technologies in protecting our systems. Our team of professionals also monitors our compliance with laws governing privacy rights, data protection and cybersecurity. 21 Our incident response policy outlines our protocols for assessing, managing and responding to cyber incidents. This policy guides the response of our global IT team, which, depending on the significance of the incident, may include escalating the issue to executive management, notifying one or more members of our Board, maintaining communication with users and notifying law enforcement and other agencies if warranted. We may also receive assistance from a third-party security operations center (SOC) and other industry-leading third-party providers. 22

Company Information