AVNET INC - (AVT)
10-K Filing Date: August 14, 2024
The Company recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as defined in Item 106(a) of Regulation S-K. These risks include operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; legal risks, including violations of privacy or data protection laws; and reputational risks. The Company has implemented several cybersecurity processes, technologies, and controls to aid in its efforts.
The Company’s Global Cybersecurity & Compliance (GC&C) team maintains a comprehensive cybersecurity program that includes policies, procedures, and standards to govern the safe processing, storage, and transmission of data. GC&C team members have extensive knowledge and experience regarding cybersecurity and the Company’s information technology systems. The GC&C team leader reports directly to the Company’s Chief Information Officer. The cybersecurity program was developed using practices anchored on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and seeks to align to the additional cybersecurity measures of
17
NIST 800-171 and ISO27001. Cybersecurity controls are governed by Avnet’s Global Information Security Policy (GISP).
The Company has processes for overseeing and identifying cybersecurity threats, vulnerabilities, and controls associated with third-party service providers, including evaluating providers’ (i) cybersecurity ratings, (ii) public disclosures related to cybersecurity, (iii) cybersecurity questionnaire responses, and (iv) cybersecurity and IT certifications.
The Company provides quarterly updates to, and receives oversight from, the Audit Committee on the Company’s cybersecurity program, cybersecurity incidents, and the cybersecurity threat landscape. Responsible members of management provide updates to the Company’s senior executive team regarding all cybersecurity incidents, the cybersecurity program, and the threat landscape.
The Company’s enterprise risk management program (ERM) considers cybersecurity risks (including likelihood, potential severity, and mitigation) alongside other enterprise-wide risks as part of its overall ERM process. The GC&C team administers an IT risk management program that identifies and assesses cybersecurity risks. Its assessments are shared with the Company’s enterprise risk management council (ERM Council).
The GC&C team applies an incident response procedure. Among other things, the team appropriately escalates some incidents in real-time, depending on the incident’s potential impact and scope. Further, the GC&C team regularly collaborates with other departments—such as legal, corporate security, and human resources—when assessing, identifying, and managing cybersecurity incidents. The Company also retains external cybersecurity response consultants to assist internal resources as needed.
The Company regularly tests the effectiveness of its security program through internal audit and external assessments. The Company makes investments for continual improvements in risk and vulnerability mitigation, including ongoing monitoring, network and system updates, and employee cybersecurity awareness training.
The Company’s cybersecurity assessments and auditing include:
•Regular penetration tests conducted by external consultants;
•Regular maturity assessments conducted by external consultants;
•Quarterly self-assessments of internal cybersecurity capabilities; and
•Ongoing internal audits of cybersecurity systems and practices.
The Company’s employee communication and training program includes:
•Annual tabletop exercises performed with its executive team;
•Annual tabletop exercises with its cybersecurity incident response team;
•Annually distributing the Global Information Security Policy (GISP) to all employees;
• | New hire and biennial computer-based training on data privacy and cybersecurity for all employees, with in-person training for high-risk positions; |
•Cybersecurity awareness training videos available to employees and updated quarterly;
•Phishing simulations conducted with employees monthly; and
•Newsletters distributed to all employees on relevant cybersecurity threats.
18