QXO, Inc. 10-K Cybersecurity GRC - 2025-03-04

Page last updated on March 4, 2025

QXO, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-04 08:19:56 EST.

Filings

10-K filed on 2025-03-04

QXO, Inc. filed a 10-K at 2025-03-04 08:19:56 EST
Accession Number: 0001628280-25-009626

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The secure processing, maintenance and transmission of sensitive data, including confidential and other proprietary information about our business and our employees, customers, suppliers and business partners, is important to our operations and business strategy. As a result, cybersecurity, data classification and data protection are key components of our long-term strategy. We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from cybersecurity incidents in a timely manner. Our security operations team (“SOT”), which is comprised of internal security professionals and reports to the Chief Information Officer (“CIO”) , has first line responsibility for our cybersecurity risk management processes as they relate to day-to-day operations. Our audit and compliance team (“ACT”), which is comprised of a team lead and the CIO, has second line responsibility and works in partnership with our executive leadership team (“ELT”) and other internal teams to coordinate efforts, priorities and oversight. Our ACT assesses cybersecurity threats and risks based on probability and potential impact to key business systems and processes. Threats and risks that can cause major damage or service impact that the ACT considers high are incorporated into our overall risk management program. The ACT develops a mitigation plan for each identified high threat and risk and reports its progress with respect to mitigation of such threats and risks to the Technology Risk Management Committee, which is part of our ELT and consists of both management-level employees and members of the Board ; such high-level cybersecurity threats and risks are tracked as part of our overall risk management program. We collaborate with third parties to assess the effectiveness of our cybersecurity incident prevention and response systems and processes as our SOT deems necessary or appropriate. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity threats and risks, as well as to support associated mitigation plans when necessary. Our System and Organization Controls (SOC) Type 2 audit, completed in September 2024, attests to the effectiveness of our security and risk management controls. We have also developed a third-party cybersecurity risk management process to conduct due diligence on external entities critical to our ongoing business operations, including those that perform cybersecurity services. We sponsor a multi-faceted security awareness program that includes regular, mandatory trainings for our personnel on data protection and malware detection, policy and process awareness, periodic phishing simulations and other kinds of preparedness testing including disaster recovery exercises. We maintain a cross-functional cybersecurity incident response plan with defined roles, responsibilities and reporting protocols. This plan, which we evaluate and test on a regular basis, focuses on responding to and recovering from any significant cybersecurity incident as well as mitigating any impact from such incidents on our business. Generally, when a cybersecurity incident or suspected cybersecurity incident is identified, the SOT would escalate the issue to the ACT for initial analysis and guidance. In the event of a significant cybersecurity incident, the ELT would typically be tasked with preparing an initial response. The ELT, with support from the ACT, would be responsible for determining whether a particular cybersecurity incident (alone or in combination with other factors) triggers any reporting or notification responsibilities under applicable law or regulation or pursuant to any contractual obligation. The ACT, in consultation with the ELT and other members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint and further developments in the cybersecurity threat landscape. In addition, we periodically engage a third-party provider to conduct an external assessment of our cybersecurity program. The results of this assessment, which are reported to the Board, assist us in determining whether any further changes to our existing policies and practices are warranted. As indicated above, we engage third-party providers to assist us with our cybersecurity risk management and strategy. Some of these providers provide us with ongoing assistance (such as threat monitoring, mitigation strategies, updates on emerging trends and developments and policy guidance) while we engage others to provide targeted assistance (such as security and forensic expertise) as needed. Prior to exchanging any sensitive data or integrating with any key third-party provider, we assess their cybersecurity fitness against our risk posture and request changes as we deem necessary. As of December 31, 2024, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the headings “General Risks - We could be affected by cyberattacks or beaches of our information systems, any of which could have a material adverse effect on our business” and “General Risks - A failure of our information technology infrastructure, information systems, networks or processes may materially adversely affect our business” in this Annual Report.

Company Information