ARROW ELECTRONICS, INC. - (ARW)
10-K Filing Date: February 13, 2024
Risk Management and Strategy
The company continuously monitors its information systems to assess, identify, and manage risks from vulnerabilities and assess cybersecurity threats. The company’s process for identifying and assessing material risks from cybersecurity threats operates alongside the company’s broader overall risk assessment process. The company monitors risks through active (e.g., penetration tests and vulnerability scans) and passive (e.g., end-point protection) methods and addresses system alerts on a constant basis. The company’s cybersecurity team immediately investigates system alerts that may indicate the presence of a cybersecurity threat or incident and escalates information regarding the threat or incident as necessary to address it in a timely manner. The company also maintains an incident response plan, which sets forth processes the company will follow to address a significant cybersecurity threat or incident. The incident response plan, among other things, provides for inter-departmental coordination and management of cybersecurity threats or incidents to quickly assess the impact, mitigate risks to information systems, and work to resolve vulnerabilities. Depending on the threat or incident, the company may utilize third-parties under retainer for assistance in investigating and addressing cybersecurity incidents or threats.
19
Senior security leadership meets regularly with the company’s risk-management team and internal and external auditors to evaluate the effectiveness of the company’s systems, controls, and management processes with respect to cybersecurity risks. The company also engages third-party cybersecurity experts to assess its processes and suggest improvements, which are reviewed with the company’s executive leadership.
The company also maintains procedures for screening and evaluating third-party providers prior to granting access to the company’s information systems. The company assesses each such prospective supplier’s system security in light of the product or service to be provided to the company. The security team analyzes high-value or high-risk third-party suppliers through interviews and surveys prior to engagement. Additionally, the company reviews third-party suppliers on an ongoing basis post-engagement to identify any changes in their security risk profile, including the occurrence of cybersecurity events affecting such suppliers.
The company describes whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect the company under the heading “Cybersecurity incidents as well as ransomware may hurt the company’s business, damage its reputation, increase its costs, and cause losses,” included as part of the company’s risk factor disclosures in Item 1A of this Annual Report on Form 10-K. To date, there have not been any cybersecurity threats or incidents that have materially affected, or are reasonably likely to materially affect, the company, including its financial condition, results of operations, or business strategies.
Governance
The Board of Directors of the company (the “Board”), primarily through its Audit Committee, oversees the company’s cybersecurity program. The company’s Chief Information Officer (“CIO”) and Chief Security Officer (“CSO”) regularly report to the Audit Committee on the current state of the company’s cybersecurity program (including the current threat landscape, cybersecurity risks, and any significant incidents). The Audit Committee may provide updates to the Board on the substance of these reports and any recommendations for improvements that the Audit Committee deems appropriate.
At the management level, the CIO and CSO receive regular reports from the company’s cybersecurity department, both historical and real-time, about the company’s global cybersecurity status. The company has established written policies and procedures to ensure that significant cybersecurity incidents are immediately investigated, addressed through the coordination of various internal departments, and publicly reported (to the extent required by applicable law). If management determines a material cybersecurity incident has occurred, the company’s policies require management to promptly inform the Board.
Under the direction of the CIO, the CSO is responsible for global cybersecurity and business continuity, which includes security architecture, security operations, incident response, IT risk and compliance, and security awareness and training. The CSO has over 25 years of security experience and maintains certifications in risk, information security, and audit, among other disciplines. The other members of the company’s security organization also have extensive cybersecurity, business, and technology experience and hold certifications in their area of expertise.