WATSCO INC - (WSO)
10-K Filing Date: February 23, 2024
CYBERSECURITY
Risk Management and Strategy
We have established security practices and safeguards designed to help identify and protect against intentional and unintentional misappropriation or corruption of our information technology systems, data, and operational continuity. We regularly conduct risk assessments to identify potential cybersecurity threats, which include evaluating the likelihood and potential impact of these threats, identifying system and network vulnerabilities, and assessing the effectiveness of our existing controls. As part of our overall cybersecurity program, we engage specialized third-party vendors for certain cybersecurity functions including, but not limited to, incident response, penetration testing, and security operations center monitoring of our information technology environment. Identified risks are documented and communicated to the relevant stakeholders. Upon identification and assessment of risks, we develop and implement what we believe are appropriate measures to manage these risks, which may involve enhancing security controls, implementing new technologies, training employees, or changing business processes. We maintain change management processes, monitoring practices, and data protection measures to mitigate cybersecurity risks and continuously test our systems for potential threats. Such processes and practices to assess, identify, and manage cybersecurity incidents are integrated into our overall enterprise risk assessment process.
Governance
A dedicated management team at our corporate headquarters, which is led by our Director of Data Security (“DDS”) and composed of the Chief Technology Officer (“CTO”) and representatives from risk management, legal, internal audit, and finance departments, is responsible for assessing and managing our cybersecurity risks and data protection practices. The Audit Committee oversees the measures taken by this management team to monitor material risks associated with cybersecurity threats, a role crucial to maintaining a robust and effective cybersecurity risk management approach. The DDS and CTO provide formal briefings to the Audit Committee on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, and other areas of importance at least once a year, with the Board of Directors receiving updates periodically. Regular discussions on enterprise risks are held between the Audit Committee, Board of Directors, and senior management.
Our DDS has more than 20 years of expertise in the information technology sector, with 10 years specifically dedicated to cybersecurity. This experience has fostered a thorough comprehension of cyber threat landscapes, defense strategies, and security technologies.