Trane Technologies plc 10-K Cybersecurity GRC - 2024-02-08

Page last updated on April 11, 2024

Trane Technologies plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 10:59:17 EST.

Filings

10-K filed on 2024-02-08

Trane Technologies plc filed an 10-K at 2024-02-08 10:59:17 EST
Accession Number: 0001466258-24-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We maintain a cybersecurity risk assessment program and framework as set forth in our cybersecurity policies and standards. The foundation of our cybersecurity program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which includes a set of controls to prevent, detect, and respond to cybersecurity threats and incidents. These controls include constant monitoring, log collection and analysis, threat hunting and intelligence surveillance, and regular vulnerability scans/penetration tests. Additionally, in furtherance of assessing, identifying and managing material cybersecurity risks, we: Leverage technology solutions, including proactive detection tools, to protect our assets and detect threats in our environment; 24 Table of Contents Perform regular internal assessments of our cybersecurity program against the NIST Cybersecurity Framework. The results of these assessments are then reviewed and, based on such findings, action plans are developed and progress tracked through completion; Analyze both internal and external cybersecurity incidents and related threat intelligence to determine applicability to our environment and industry. Findings from such analyses are then reviewed and utilized to create action plans where applicable and relevant to our environment and industry; Maintain an enterprise-wide disaster recovery governance program, which includes cybersecurity-related disaster recovery standards and compliance procedures related thereto; Regularly perform cybersecurity-related disaster recovery testing to ensure that the Company s mission-critical systems are recoverable, in support of the business continuity needs of our various business lines; and Integrate each of our business and corporate groups with our internal cybersecurity team to ensure cybersecurity requirements are embedded into operating environments as appropriate, which drives business strategies, budgeting, and similar processes. In addition, senior and executive management, as well as our Board of Directors, regularly review our financial planning processes for these areas, inclusive of our cybersecurity programs. Any changes or additions to our cybersecurity risk assessment program and related practices and procedures described above in response to cybersecurity needs are reviewed by our executive management, Board of Directors and Audit Committee. We regularly engage independent third-parties and auditors to assess our cybersecurity program and practices and assist in the mitigation of risk. The effectiveness of our cybersecurity environment is regularly tested by internal personnel and these third-parties. These assessments are performed in connection with standards and requirements under the Payment Card Industry (PCI) data security standard, Sarbanes-Oxley Act (SOX), and the U.S. Department of Defense, cybersecurity capability maturity benchmarking and voluntary certifications by us, such as the Service Organization Control Type 2 (SOC 2). The results of these audits and assessments are promptly reviewed and enhancements are made to our cybersecurity program and practices based on such findings as appropriate. We also maintain a cybersecurity third party risk management program which evaluates systems and applications hosted by external parties for cybersecurity risks and assesses the security posture and features of those services. The program includes initial review, ongoing monitoring and contractual agreements with cybersecurity requirements to ensure third party services meet our standards for such providers, and the cybersecurity risks associated with the use of these services is acceptable. Like other comparable-sized companies, our information technology systems, networks and infrastructure and technology embedded in certain of our control products have been and may continue to be vulnerable to cyber-attacks and unauthorized security intrusions. These types of attacks may include computer viruses, malicious code, unauthorized access, phishing attempts, denial-of-service attacks, among others. For more information about these and other cybersecurity risks faced by us, see Part IA, Item 1A, Risk Factors - Risks Related to Cybersecurity and Technology. Our Board of Directors has ultimate oversight for risks relating to our cybersecurity program and practices and receives regular updates from our internal cybersecurity team on cybersecurity risks and threats. In addition, our Audit Committee provides Board-level oversight for management s actions with respect to practices, procedures and controls used to identify, assess and manage our key cybersecurity programs and risks. We also maintain an Enterprise Risk Intelligence Committee (ERIC), a management-level cross-functional group designed to monitor and mitigate risks, including cybersecurity risks, that pose a threat to our strategic objectives. The ERIC is charged with providing guidance and direction for integrating enterprise risk intelligence with important business processes, such as strategic planning, business forecasting, operational management, and investment allocation to ensure consistent consideration of risks in decision making. Finally, we maintain an Enterprise Cybersecurity Governance Committee that presents updates on cybersecurity initiatives, known and emerging issues and risks, and program updates to a cross-section of our senior management. 25 Table of Contents

Company Information