W.W. GRAINGER, INC. - (GWW)

10-K Filing Date: February 22, 2024
Item 1C: Cybersecurity
Risk Management and Strategy
Grainger has a cybersecurity team that works to prevent, detect, and respond to cybersecurity threats. The team has implemented processes designed to assess, identify and manage material risks and vulnerabilities to the Company’s security posture, including prioritizing and remediating such risks. The team also works to assess and manage cybersecurity risks by: (i) reviewing cyber risks with senior management, including the Senior Vice President and Chief Technology Officer (CTO); (ii) incorporating cybersecurity in its enterprise risk processes; (iii) establishing regular reviews of cybersecurity risks and mitigation efforts, including with the Audit Committee and the Board; and (iv) using third parties as needed for reviews and testing.

Grainger regularly identifies its enterprise risks. Grainger’s cybersecurity team reviews and updates its information security strategy and plans to align cybersecurity prioritization with the identified top enterprise risks.

Grainger has developed a cybersecurity risk intake process to facilitate the identification of cybersecurity risks, including those related to third-party vendors. Identified risks are tracked by management, and incorporated into mitigation plans.

The management team engaged in the cybersecurity risk management process, including the CTO, has risk management backgrounds, certifications, and/or cyber experience in prior professional roles and at Grainger. The team maintains expertise on cyber risk management through third-party consultants, external trainings, and affiliations with relevant organizations.

Grainger has been subject to unauthorized access of systems on which certain supplier, customer, and team member information was stored, which have been deemed immaterial to our business and operations individually and in the aggregate. Grainger, or third-party service providers engaged by Grainger, may be subject to other unauthorized access of information systems in the future. There can be no assurance that any future unauthorized access to or breach of these information systems will not be material to Grainger’s business, operations or financial condition. See Part I, Item 1A: Risk Factors of this Form 10-K.

Governance
The Audit Committee assists the Board in its oversight of the Company’s Enterprise Risk Management (ERM) program and processes, including with respect to cybersecurity.

Both the Board and the Audit Committee regularly review the Company’s risk assessment and management processes and policies and receive regular updates from the Company’s management team members who are responsible for the effectiveness of the Company’s ERM program. As part of its ERM oversight, the Board oversees and regularly reviews the Company’s programs and processes for cybersecurity risks, including the Company’s framework for preventing, detecting, and addressing cybersecurity incidents and identifying emerging risks both broadly and within related industries. The Company’s CTO routinely provides cybersecurity updates to the Audit Committee and information to the Board. The CTO leads an information security team that works to facilitate the protection of the Company’s information and computing assets.


21