Core & Main, Inc. - (CNM)

10-K Filing Date: March 19, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company monitors its information systems to assess, identify, and manage risks and assess cybersecurity threats. The Company’s cybersecurity program and related process for identifying and assessing material risks from cybersecurity threats are incorporated within the Company’s enterprise risk management program. The Company monitors risks through active (e.g., penetration tests and vulnerability scans) and passive (e.g., end-point protection) methods. The Company’s cybersecurity team investigates system alerts that may indicate the presence of a cybersecurity threat or incident and escalates information to the Company’s Chief Information Security Officer (“CISO”) regarding the threat or incident as necessary to address it in a timely manner. The Company also maintains an incident response plan, which sets forth processes the Company will follow to address a significant cybersecurity threat or incident. The incident response plan provides for, among other things, inter-departmental coordination and management of cybersecurity threats or incidents to quickly assess the impact, mitigate risks to information systems, and work to resolve vulnerabilities. Depending on the threat or incident, the Company may utilize third-parties for assistance in investigating and addressing cybersecurity incidents or threats.
Senior information technology and cybersecurity leadership meets regularly with the Company’s risk-management team, internal auditors and engages with external service providers to evaluate the effectiveness of the Company’s cybersecurity program, as well as its systems, controls, and management processes with respect to cybersecurity risks. The Company also engages third-party cybersecurity experts to assess its processes and suggest improvements, which are reviewed with the Company’s executive leadership, the board of directors and its audit committee.
The Company extends the risk assessment elements described above to our evaluation of third-party suppliers. The Company utilizes a risk-based approach to assess third-party suppliers prior to commencement of a relationship, and on an ongoing basis following initial engagement. This assessment considers the significance of the third-party to our operations, availability of alternative suppliers, the type of data provided to the third-party and publicly available information regarding the third-party.
34


The Company describes whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect the Company under the heading “Interruptions in the proper functioning of the Company’s and our third-party service providers’ IT systems or compromise of our or our customers’ confidential data, including from cybersecurity threats, could disrupt operations and cause unanticipated reputational harm, litigation and regulatory risk, as well as increases in costs or decreases in net sales, or both” included as part of the Company’s risk factor disclosures in Item 1A of this Annual Report on Form 10-K. During the period covered by this report, there have not been any cybersecurity threats or incidents that have materially affected, or are reasonably likely to materially affect, the Company, including its financial condition, results of operations, or business strategies.
Governance
The Company’s board of directors, primarily through its audit committee, oversees the Company’s cybersecurity program. The Company’s CISO regularly reports to the board’s audit committee on the current state of the Company’s cybersecurity program (including but not limited to, the current threat landscape, cybersecurity risks, and as needed, any significant incidents). The audit committee may provide updates to the board of directors on the substance of these reports and any recommendations for improvements that the audit committee deems appropriate. At the management level, the Company’s Chief Information Officer (the “CIO”) and Chief Financial Officer receive regular historical and real-time reports about the Company’s cybersecurity status from the Company’s cybersecurity department which is led by our CISO. The Company has established written policies and procedures in our cybersecurity incident response plan to ensure that significant cybersecurity incidents are investigated timely, addressed through the coordination of various internal departments, and (to the extent required by applicable law) publicly reported. If management determines a significant cybersecurity incident has occurred, the Company’s policies require management to promptly inform the board of directors. The CISO is responsible for the cybersecurity program, which includes security architecture, security operations, incident response, IT risk and compliance and security awareness and training and the CIO is responsible for IT disaster recovery. The CISO and the CIO each have over 25 years of security and IT experience. The other members of the Company’s security organization also have extensive cybersecurity, business, and technology experience and hold certifications in their area of expertise.