TEREX CORP 10-K Cybersecurity GRC - 2024-02-09

Page last updated on April 11, 2024

TEREX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 16:17:55 EST.

Filings

10-K filed on 2024-02-09

TEREX CORP filed an 10-K at 2024-02-09 16:17:55 EST
Accession Number: 0000097216-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Terex bases its enterprise-wide cybersecurity program on the National Institute of Standards and Technology s Cybersecurity Framework to ensure our cybersecurity measures are rigorous, adaptable, transparent and aligned with best practices in the industry. We take a comprehensive approach to cybersecurity risks, with a multi-layered cybersecurity strategy based on prevention, detection and mitigation. Primary responsibility within management for assessing, monitoring and managing our cybersecurity risks and program rests with our Vice President ( VP ) Cybersecurity and Senior Vice President ( SVP ) Chief Digital Officer. Our VP Cybersecurity has significant cybersecurity education/training and many years of industry experience in the field of cybersecurity. In addition, our SVP Chief Digital Officer offers added in-depth knowledge with significant experience leading technology teams. Terex also has a Global Cybersecurity Group ( GCG ), consisting of management and non-management team members, that is tasked with the continuous development and implementation of information security policies and controls. Terex utilizes the concept of defense in depth and deploys multiple layers of controls across operations to manage cybersecurity risk. Our GCG monitors and evaluates our cybersecurity infrastructure and performance on an ongoing basis through regular assessments, vulnerability scans, penetration tests and threat intelligence feeds, enabling Terex to identify, prioritize, and effectively manage risks. Additionally, our GCG engages an external third party to complete an annual red team penetration test to assess our preparedness. We apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We also provide awareness training to our team members to help identify, avoid and mitigate cybersecurity threats. Our team members with network access participate annually in required training, including spear phishing and other awareness training. Terex also conducts at least one cyber-incident tabletop exercise annually in collaboration with outside counsel, cybersecurity insurance carriers and/or other third parties. Our Senior Director, Risk Management, works closely with our VP Cybersecurity and information technology department to ensure we are aligned and covered with respect to any cybersecurity insurance coverage needs and overall risk management strategies. Before initiating a third-party service provider, Terex s GCG performs a thorough assessment of its cyber security measures including a review of the third-party provider s information security policy, service organization control report(s), architectural diagram(s) and an overview of its cyber security program. It is also our practice to negotiate breach notification clauses into our IT vendor contracts for vendors who are hosting or storing any Terex information. Terex maintains a variety of policies, plans and procedures that carefully detail the roles and responsibilities of those involved in monitoring, addressing and reporting any cybersecurity incidents, enabling Terex to respond efficiently and effectively, and to minimize any risks or impact to the business or customers. The VP Cybersecurity keeps members of senior management continually informed of any cybersecurity incidents, ensuring they are promptly and appropriately handled. The VP Cybersecurity also keeps the SVP Chief Digital Officer, Chief Executive Officer and other members of our senior management informed of the Company s overall cybersecurity posture and potential risks. The Board of Directors is cognizant of the critical value of managing cybersecurity threat risks and is updated on such matters accordingly. Cybersecurity risks are reviewed by the Board of Directors, at least annually, as part of our enterprise risk management process and as part of a separate update by our SVP Chief Digital Officer. The Audit Committee assists the Board of Directors with its oversight of cybersecurity risks and the steps taken by the Company to monitor and mitigate such cybersecurity risks. The VP Cybersecurity and SVP Chief Digital Officer provide regular, periodic reports to the Audit Committee on cybersecurity metrics and matters. Senior management also keeps the Board of Directors apprised of cybersecurity incidents and related materiality assessments as appropriate. Terex has experienced cyber incidents in the normal course of business; however, no prior cybersecurity incident has had a material adverse effect on Terex s business, strategy, results of operations, financial condition or reputation. For more information on the cybersecurity threats and risks we face, see Part I, Item 1A. Risk Factors. 24

Company Information