WESCO INTERNATIONAL INC - (WCC)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Information security and protection of our data is important to Wesco, our customers and suppliers. We take a comprehensive, multi-layered approach to securing our data and business systems from attack, compromise or loss. This includes the combination of leading technologies, physical and organizational safeguards, including a robust suite of security policies and procedures. We have a dedicated 24 hours per day/seven days per week Cybersecurity Operations team, with a third-party service provider, monitoring our environment for signs of attack and responding in real-time.
The implementation of a multi-layer and multi-provider portfolio of technologies is designed to deliver overlapping coverage against today’s cybersecurity threats with a strong defensive and response driven security posture. We evaluate risks, threats, intelligence feeds and vulnerabilities to adapt, mitigate or respond as appropriate to preserve a secure state. Additionally, Wesco has a comprehensive third-party risk management program to evaluate partners prior to onboarding, throughout the life of the relationship, and through the close out of the relationship. This program is designed to ensure our third-party partners adhere to Wesco’s security policies and expectations as the threat landscape evolves and the relation between the organization changes. Wesco’s cybersecurity programs are reviewed as part of our information security management system (“ISMS”) by external, independent third parties and in 2022, we achieved ISO 27001 certification for our ISMS. We conduct mandatory information security awareness training for our employees at least annually and enhanced training for specialized personnel. We have instituted regular attack or malicious activity simulations for employees to enhance awareness and responsiveness to such possible threats, and we also employ third parties to perform penetration and vulnerability tests.
While we focus on prevention and detection, we have response and recovery plans in place, as well as service agreements and partner engagements should there be a need for us to respond to an attack. We have adopted a cybersecurity incident response plan that provides direction and a defined approach for preparing for, identifying and responding to cybersecurity incidents that may pose a potential threat to our information systems, networks and data. The plan defines the roles and responsibilities of our IT and security teams and other functional teams that comprise the cybersecurity incident response team, as well as provides controls and procedures for timely and accurate reporting of material cybersecurity incidents. Significant cybersecurity incidents are reviewed by a cross-functional team to determine whether further escalation is appropriate. Any incident that potentially is, or may become, material is reported to senior management for materiality and disclosure determinations. We also maintain cyber liability insurance coverage. While we did not experience any material data breaches in 2023 and no risks from cybersecurity threats have materially impacted or are reasonably likely to materially impact the Company’s business strategy, operations, or financial condition, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A, “Risk Factors” of this Annual Report on Form 10-K.
21



Governance
To more effectively prevent, detect and respond to information security threats, we have a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes. The CISO, with over 30 years of technology experience, has been in this role with Wesco since 2020, has a total of eight years of experience serving in the role of Chief Information Security Officer, and has twelve years of experience dedicated to cybersecurity. The CISO reports to our Executive Vice President, Chief Information and Digital Officer (“CIDO”), who reports directly to our Chief Executive Officer. The CISO and CIDO regularly review cybersecurity matters with our Chief Executive Officer and other members of our senior management, including cybersecurity risks and threats and the status of our cybersecurity incident response plan and related processes relating to the prevention, detection, mitigation and remediation of cybersecurity incidents. As part of its oversight responsibility of cybersecurity risk and the overall enterprise risk management process, the Audit Committee of our Board of Directors meets at least quarterly with our CISO, CIDO, and other senior leaders to receive updates on cybersecurity risks and threats (and should they arise, any material incidents), the status of initiatives to strengthen our information security systems, management's assessments of our security program, and compliance with disclosure requirements. The Audit Committee and senior management report any findings and recommendations, as appropriate to the full Board of Directors for consideration. Wesco’s cybersecurity program is regularly evaluated by internal and external experts with the results of those reviews reported to senior leadership and the Board of Directors. We also actively engage with strategic partners, industry groups, and intelligence and law enforcement to better understand macro trends and significant risk concerns to better inform and enhance our cybersecurity policies and procedures.