XML 103 R89.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Risk Management and Strategy

We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems.

The program includes:

periodic risk assessments to identify and assess cybersecurity risks and vulnerabilities in our information technology systems;

security event monitoring, management, and incident response;

third party engagements to perform periodic penetration testing and reviews of program maturity based on industry standard frameworks;

reviews by our internal audit team of the effectiveness of information technology-related internal controls;

cybersecurity risk assessments of our third-party vendors; and

employee training, including regular phishing simulations.

We have a standing risk committee. The purpose of the risk committee is to oversee a sustainable dynamic process that enables enterprise-wide cross-functional analysis and assessment of risks that may threaten the Company or provide opportunities to leverage resources to create growth opportunities. Under its charter, the risk committee is to be comprised of at least three members of the Board, selected by the President. The committee has established a working group that is comprised of representatives from the following functional areas of the Company: treasury, human resources, legal, supply chain management, sales, and marketing. Currently, the Senior Vice President, Secretary and General Counsel, a member of the risk committee, apprises the Board quarterly of the working group and this Committee’s activities.

Cybersecurity threats on our information systems are included as a topic considered by our risk committee working group which identifies, assesses and makes related recommendations for managing a number of risks, including cybersecurity threats. This working group is charged with addressing the full spectrum of its risks and managing the potential individual as well as combined impact of those risks as an interrelated risk portfolio. Moreover, the grouping group engages subject matter experts from various departments within the Company to engage in a bi-annual exercise designed to identify potential worse case scenarios, the estimated likelihood of each, and the potential financial impact of each risk, as well as to prioritize such risks, including the risk of a cybersecurity threat.

As a result of these and other initiatives, we believe we have appropriate processes in place, including in many cases, related contractual provisions, as well as appropriate physical and administrative controls, that are designed to allow oversight and identification of cybersecurity threats related to our use of third-party service providers.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Impact of Cybersecurity Events

In the fourth quarter of 2024, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, materially affected or would reasonably be likely to materially affect Graybar, including our business strategy, results of operations or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block] Governance

The Audit Committee charter provides that it shall review, at least annually, the Company’s cybersecurity program and shall receive frequent updates on cybersecurity and the development of Company’s cyber strategy and the Company’s corresponding information technology emergency response plan. Our director, information security, reports at least quarterly to the Audit Committee during its regularly scheduled meetings, and engages in weekly dialogue with the Chair of the Audit Committee and Senior Vice President, Secretary and General Counsel, including with respect to matters identified by our information technology department.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The committee has established a working group that is comprised of representatives from the following functional areas of the Company: treasury, human resources, legal, supply chain management, sales, and marketing.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The purpose of the risk committee is to oversee a sustainable dynamic process that enables enterprise-wide cross-functional analysis and assessment of risks that may threaten the Company or provide opportunities to leverage resources to create growth opportunities.
Cybersecurity Risk Role of Management [Text Block] Our director, information security, reports at least quarterly to the Audit Committee during its regularly scheduled meetings, and engages in weekly dialogue with the Chair of the Audit Committee and Senior Vice President, Secretary and General Counsel, including with respect to matters identified by our information technology department.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] We have a standing risk committee.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Moreover, the grouping group engages subject matter experts from various departments within the Company to engage in a bi-annual exercise designed to identify potential worse case scenarios, the estimated likelihood of each, and the potential financial impact of each risk, as well as to prioritize such risks, including the risk of a cybersecurity threat.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Currently, the Senior Vice President, Secretary and General Counsel, a member of the risk committee, apprises the Board quarterly of the working group and this Committee’s activities.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true