DXP ENTERPRISES INC - (DXPE)
10-K Filing Date: March 11, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
We have processes in place to identify, assess and manage material risks from cybersecurity threats. These processes are part of our overall enterprise risk management process and have been embedded in our internal controls and information systems.
Our cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages the National Institute of Standards and Technology Cyber Security Framework ("NIST CSF") for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls.
We contract with external firms to assess our cyber security controls relative to our peers using the NIST CSF. We also have a third-party risk management program that assesses risks from vendors and suppliers. In addition, we maintain a Business Continuity and Disaster Recovery Plan as well as a cybersecurity insurance policy.
We have established cybersecurity and information security awareness training programs. Formal training on topics relating to our cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees, contractors and third parties with access to our network. Training is administered and tracked through online learning modules. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular company-wide communications with frequent updates to educate on the latest adversary trends and social engineering techniques.
Additionally, we engage in cyber crisis response simulations to assess our ability to adapt to information and operational technology threats. Improper or illegitimate use of our information system resources or violation of our information security policies and procedures is subject to disciplinary action. Our security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication to ensure that access to information and communication is vetted and secure.
We also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate our security posture. We also engage external firms to measure our NIST CSF maturity level.
23
Governance
Our board of directors established a standing Cybersecurity Committee, which is tasked with oversight of the Cybersecurity Program, including: (i) strategy and governance; (ii) operations; and (iii) risk management and regulatory compliance.
The Cybersecurity Committee responsibilities include:
•reviewing our enterprise cybersecurity strategy and framework, including our assessment of cybersecurity threats and risk, data security programs, and our management and mitigation of cybersecurity and information technology risks and potential breach incidents;
•reviewing any significant cybersecurity incident that has occurred, reports to or from regulators with respect thereto, and steps that have been taken to mitigate against reoccurrence;
•evaluating the effectiveness of our cyber risk management and data security programs measured against our cybersecurity threat landscape;
•assessing the effectiveness of our data breach incident response plan;
•reviewing and assessing our information technology disaster recovery capabilities; and
•reviewing our assessment of cybersecurity threats and risk associated with our supply chain and actions we are taking to address such threats and risks.
The Cybersecurity Committee receives reports and updates at committee meetings from our Chief Information Officer (“CIO”) and other executives and cybersecurity specialists. Following each committee meeting, the chair of the Cybersecurity Committee briefs the full board of directors on matters covered at the prior Cybersecurity Committee meeting. The board also receives periodic briefings on emerging trends in order to enhance its literacy on cybersecurity issues. At least annually, the Cybersecurity Committee receives updates about the results of the Cybersecurity Program reviews.
The Cybersecurity Committee participates with management periodically in “tabletop” exercises to evaluate our data breach incident response plan.
Management’s Role and Expertise in Assessing and Managing Cybersecurity
Our Cybersecurity and Information Technology organization is led by our CIO, who is responsible for cybersecurity risk management. Our CIO has more than 27 years of experience in the IT industry. Since 2006, he has held multiple roles at the Company and most recently as Vice President of IT Strategic Solutions.
Our cybersecurity incident response framework is governed by a corporate Cybersecurity Incident Response Plan (the “IRP”), which sets out our approach for categorizing, responding to, and mitigating cybersecurity incidents. The IRP provides definitions of key terms, stakeholder roles and responsibilities, and a response governance and escalation process.
We have an incident response team comprised of our CIO, executive leaders, management, and internal and external legal counsel, whose primary responsibilities include:
•evaluating and validating the impact of an incident;
•approving certain incident response countermeasures and remediation actions;
•escalating incidents and response countermeasures for approval; and
•acting in an advisory capacity in support of cybersecurity incident remediation, as appropriate.
We maintain a Business Continuity and Disaster Recovery Plan that addresses our preparation for, management, recovery from, and ultimate resumption of business after a crisis, including emergency response, continued recovery, and business resumption activities such as information systems recovery, when a cybersecurity incident may potentially have a significant impact on our business strategy, results of operations, or financial condition.
As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, as discussed under "Item 1A. Risk Factors," specifically the risks titled "Cybersecurity breaches and other disruptions or misuse of our network and information systems could affect our ability to conduct our business effectively.", the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our controls are designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
24