SiteOne Landscape Supply, Inc. - (SITE)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We maintain an information security program designed to detect, identify, manage, and protect against cybersecurity and other data security threats to our information technology systems. This information security program is based in-part on, and is periodically measured against, the National Institute of Standards and Technology (“NIST”) framework. Risks identified by our information security program are monitored and analyzed to determine the severity and likelihood of occurrence. IT risks are incorporated into our annual Enterprise Risk Management process and are presented to the Audit Committee annually.
Additionally, in furtherance of detecting, identifying, managing, and protecting against cybersecurity and other data security threats, we also:
•utilize Geo-IP blocking to restrict access from outside North America to our external networks, systems, and websites;
•maintain established information security policies and processes;
•provide regular security and privacy workforce training to instruct all associates on identifying and safeguarding against cybersecurity concerns;
•deploy regular network and endpoint software updates on all company-managed systems and workstations to detect and prevent, among others, viruses, malicious code, unauthorized access, and phishing attempts;
•maintain a disaster recovery plan, and perform at least two disaster recovery exercises annually to validate and optimize our recovery efforts in event of a cybersecurity incident;
•conduct quarterly phishing exercises for all associates and, if necessary, additional training or remedial action is taken;
•regularly engage third-party cybersecurity experts to conduct vulnerability assessments and penetration testing on our information networks, systems, and applications; and
•maintain cybersecurity liability insurance.
We also have an incident response plan that includes procedures to notify, triage, contain, and investigate material cybersecurity incidents. In connection with such plan, we retain a leading cybersecurity incident response firm to provide immediate support in the event of a material cybersecurity incident.
32
Cybersecurity risks related to third-party IT providers and solutions are managed as part of our vendor security protocol that includes vendors, software, and cloud-based service providers. We partner with our vendors to minimize the customer data needed to provide services and ensure compliance with regulations. Vendors are reviewed annually to identify any changes to services, data requirements, and associated security and protections. Where applicable, vendors are contractually bound to protect customer data and support enforcement of all regulatory requirements. We proactively evaluate the cybersecurity risk of third-party IT providers and solutions by utilizing a repository of risk assessments and an external monitoring solution that includes threat intelligence to better inform us during contracting and vendor selection processes. When third party risks are identified, we require those third parties to agree by contract to implement appropriate security controls or refrain from doing business with them. Security issues are documented, tracked, and periodic monitoring is conducted for third parties in order to mitigate risk.
Like other companies that process a wide variety of information, our information technology systems, networks, and infrastructure have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. For example, and as previously disclosed, in July 2020, we experienced a ransomware attack on our information technology systems. While there has been no material impact to our business strategy, results of operations, or financial condition as a result of the ransomware attack, this incident, as well as any other breach of our systems may result in cybersecurity-related risks that could have a material impact. Refer to “Risk Factors – Risks Relating to Our Business and Our Industry” for additional information regarding the cybersecurity risks faced by the Company.
Governance
The Company’s Board of Directors has ultimate oversight responsibility for risks relating to our information security program. In addition, the Company’s Board of Directors has delegated primary responsibility to its Audit Committee for reviewing and discussing with management the Company’s compliance with its information security program, as well as monitoring and controlling material risks relating to cybersecurity.
We also have a dedicated security team overseeing our information security program, which is led by our Chief Information Security Officer (“CISO”), who has over 30 years of experience working in cyber and information security roles with large companies, including senior executive positions. Members of the security team hold a variety of professional security and network credentials and certifications, including, among others, Certified Information Systems Security Professional (“CISSP”) credentials, Information Systems Security Management Professional (“ISSMP”) credentials, Certified in Risk and Information Systems Control (“CRISC”) certifications, and Certified Information Security Manager (“CISM”) certifications. The security team is responsible for leading our company-wide cybersecurity architecture, policies, procedures, strategies, and standards. In addition to our internal security team, we partner with various third-party information security providers to augment our staffing, expertise, monitoring, and response to ensure 24x7x365 coverage. Our CISO provides regular updates to our Chief Information Officer as well as to the Audit Committee, and more frequently as needed, regarding information security matters and risks, including, cybersecurity threats.
33