Ingram Micro Holding Corp 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Ingram Micro Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 11:10:04 EST.

Filings

10-K filed on 2025-03-05

Ingram Micro Holding Corp filed a 10-K at 2025-03-05 11:10:04 EST
Accession Number: 0001628280-25-010298

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our business operations rely on the secure processing, storage, integrity, and transmission of business-critical information, including transaction information as well as personal and other sensitive data, through digital and interconnected systems, including those of our service providers and other third parties. In order to identify, prevent, respond to, and mitigate cybersecurity risks, we maintain a formal data protection program with physical, technical, and administrative safeguards (the “Program”), which is integrated into our overall risk management processes. As part of the Program: - We have implemented and maintain documented policies and comprehensive technical controls (including multifactor authentication and end-to-end encryption) designed using the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and mapped to the specifications of International Organization for Standardization (“ISO”) 27001. The Program is regularly reviewed and updated on an annual basis, with a comprehensive annual review cycle. - We maintain a dedicated cybersecurity team under the joint direction of our Executive Vice President and President - Global Platforms Group, and our Chief Information Security Officer (“CISO”). Our cybersecurity team operates a 24/7 Security Operations Center that employs threat detection and response technologies, including AI and ML capabilities. In addition, we maintain the Ingram Micro Trust Center, a centralized hub for stakeholders and the public to access key information about our cybersecurity and privacy programs. - We regularly test our internal IT controls through a combination of automated and manual testing procedures, including continuous automated vulnerability scanning and periodic penetration tests, and we regularly test our disaster recovery and other back-up plans. Our Program also undergoes annual external audits by independent auditors as part of our ISO 27001 certification process. Critical vulnerabilities identified through these processes are remediated according to defined timelines based on severity and other relevant factors. - We maintain, and we require our third-party service providers to maintain reasonable security controls designed to protect the confidentiality, integrity, and availability of our information systems and the sensitive data we process or that is processed on our behalf. We address potential risks posed by the use of such third-party service providers via established vendor risk assessments, due diligence, and contract review by our cybersecurity team. - We require our employees to complete security awareness training upon hiring and on a regular basis, with modules covering applicable Company policies and emerging threats. Our training program includes practical exercises such as simulated phishing campaigns. We also work with third-party cybersecurity and data privacy professionals as part of the design and implementation of our program, including accountants, independent assessors, external legal counsel, and other consultants. Our incident reporting and escalation process is designed to detect and analyze cyber incidents in real time, to assess their impact, to escalate the incident to our CISO and the Company’s Information Security Management Committee (which consists of our CEO, CFO, General Counsel, CISO, and EVP and President - Global Platform Group), as appropriate and consistent with our Incident Response Plan, and to determine and effectuate the appropriate response and reporting actions, including evaluating the impact and materiality of such incidents to our financial condition and operations. All cybersecurity threats are documented by our Security Incident Response Team, with incidents exceeding a certain threshold escalated to our CISO. Critical incidents involving confirmed data breaches, ransomware, or system-wide outages trigger immediate Security Management Committee involvement and require the board of directors to be informed of significant or material cybersecurity incidents within 24 hours. While we, along with our customers, vendors, suppliers, and service providers, are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate, has materially affected the Company during the periods covered by this report. See Item 1A, “Risk Factors”, for more information on the cybersecurity threats facing our Company. 48 Governance Our board of directors maintains active oversight of cybersecurity risks through a structured governance framework: - The full boar d of directors receives comprehensive cybersecurity briefings at least annually, supplemented by sessions focused on emerging threats and program strategy. - The Audit Committee receives regular updates (typically quarterly) that cover, among other topics, performance against operational metrics and results of recent audits and assessments. - Our CISO, under the direction of our Executive Vice President and President - Global Platform Group, leads our Program, working with key stakeholders and resource groups, including industry groups, peer institutions, internal committees (the Information Security Management Committee), and law enforcement, as needed, to understand, identify, and address cybersecurity risks. Our CISO maintains direct reporting access to the board of directors, ensuring that time-sensitive matters may be escalated as needed. - Our internal audit team is responsible for testing key IT controls, while leaders from our legal, finance, communications, and risk management teams participate in incident response training, including annual tabletop exercises, to ensure swift and effective responses to cybersecurity incidents. Our cybersecurity leadership team brings extensive qualifications and expertise: - Our CISO has over 15 years of experience in information security, including leadership roles at Nissan Motors and Ingram Micro. He has performed investigations in the public sector as a deputized high-tech crimes investigator with a digital forensic certification. He serves on numerous cyber industry organization boards and lends his expertise as a leader and practitioner. He speaks at numerous events annually on various cyber topics. - Members of the broader security team maintain various professional certifications including CISSP, CISM, CEH, and SANS certifications. We maintain partnerships with leading universities to support continuing education and stay current with emerging threats and technologies.

Company Information