POOL CORP - (POOL)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our cybersecurity program, which is primarily documented in our business interruption and incident response policy, is designed to assess, identify and manage material risks from cybersecurity threats, and is a component of our overall enterprise risk program. We deploy multiple strategies and dedicate significant resources toward systems designed to identify, assess, manage, mitigate and respond to cybersecurity threats. We also consistently strive to improve the detection and response capabilities of our cybersecurity program. To do this, we monitor best practices across the cybersecurity space and endeavor to incorporate those in our own cybersecurity program.
Our cybersecurity policies and procedures include the controls and technology we use to identify, assess and respond to cybersecurity threats and incidents. These policies and procedures also focus on identifying vulnerabilities in our internal and external environments and remediating those vulnerabilities. To combat cybersecurity risk, we focus on proactive procedures such as patch management and quarterly cybersecurity training of our employees. In an effort to mitigate cyber risks for customer-facing software, we incorporate the protocols described above along with software specific programs such as a bug bounty system and partnerships with external experts.
We evaluate our controls and response protocols at least twice a year using external third-party assessors and consultants in both advisory and adversarial engagements. These third-party experts are familiar with our systems and could be retained in the event of a significant incident to assist us in evaluating and responding to such an incident. We incorporate the lessons learned from these engagements into our cybersecurity program. Our cybersecurity program also includes controls to manage risks associated with our use of third-party service providers; however, we cannot ensure in all circumstances that their defensive efforts will be successful.
Like most large organizations, we face constant and dynamic risks related to cybersecurity. In recent years we have faced, and expect to continue to face, various attempted cyber-attacks of increasing sophistication. To date, we are not aware of any cybersecurity incident or threat that materially impacted or could reasonably be anticipated to materially affect our business, results of operations or financial condition. However, we cannot guarantee that we will not experience such an incident in the future. For a further description of these risks, see “Risk Factors – Risks Relating to Technology, Cybersecurity and Data Privacy,” included in Item 1A of this Form 10-K, which should be read in conjunction with this Item 1C.
Governance
Our Board of Directors (Board) is responsible for oversight of our risk management programs and assisting management in addressing specific risks, including cybersecurity risks. The Audit Committee assists our Board in reviewing cybersecurity and other information technology risks, controls and procedures, including our plans to mitigate cybersecurity risks and to respond to data breaches. The Audit Committee also helps in reviewing with management any specific cybersecurity issues that could have a material impact on us. Our Chief Information Officer (CIO) provides the Board with updates on cybersecurity risks at regularly scheduled board meetings at least twice a year. These updates include the results of any third-party reviews and related remediation items.
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CIO who has held that role since 2019 and has been employed by the company since 2004. With almost 20 years of experience in cybersecurity, our CIO has extensive cybersecurity expertise and in-depth knowledge and experience instrumental in developing and executing our cybersecurity strategies. Our CIO oversees our cyber governance programs, evaluates our compliance with applicable standards and remediates known risks. Our CIO also oversees our internal phishing tests, leads our employee cyber training program and seeks to promote company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives.
At the day-to-day operational level, our CIO manages an information security team tasked with executing our cybersecurity program. This team includes a director of network security, technical director of enterprise architecture, system architects and network security staff. Members of our information technology (IT) management group, led by our CIO, have extensive years of combined experience in defending large, complex corporate environments. Our CIO, IT management group, architects and network security team members receive briefings and annual training on cybersecurity threats and response methods that provide real world threat scenarios to measure the effectiveness of our programs and technologies in protecting our systems. Our team of professionals also monitors our compliance with laws governing privacy rights, data protection and cybersecurity.
Our incident response policy outlines our protocols for assessing, managing and responding to cyber incidents. This policy guides the response of our global IT team, which, depending on the significance of the incident, includes activating response plans from third-party partners, escalating the issue to executive management, notifying one or more members of our Board, maintaining communication with users and notifying law enforcement and other agencies if warranted. We may also receive assistance from a third-party security operations center (SOC) and other industry-leading third-party providers.
22