SMITH A O CORP 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

SMITH A O CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 16:46:51 EST.

Filings

10-K filed on 2024-02-13

SMITH A O CORP filed an 10-K at 2024-02-13 16:46:51 EST
Accession Number: 0000091142-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Cybersecurity Governance We recognize the importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both our management and our Board of Directors. Our Chief Information Officer (CIO) oversees our information systems and cybersecurity function and reports to our Chief Executive Officer (CEO). She has over 30 years of experience in leading information systems management, strategy, and operational execution, including incident management, prevention, and response. Our Senior Director of Global Information Security (ISD) reports to our CIO and is responsible for the protection and defense of our networks and systems and managing cybersecurity risk. He has over 20 years of experience in managing cybersecurity and related risks, including threat identification, incident response, and defense strategies. Our CIO and ISD are supported by a direct and a cross-functional team of professionals with broad experience and expertise in threat assessment and detection, mitigation technologies, training, incident response, and regulatory compliance. Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, which includes our management of information and cybersecurity risk. The full Board receives an update on our cyber risk management process and trends related to cybersecurity at least annually. The Audit Committee of the Board assists the full Board in its oversight of cybersecurity risks and as part of its oversight, the Audit Committee receives reports from management on information systems and security at each meeting, including metrics and controls, and other items from time to time such as risk assessments, security software, and incident response plans. We have also established a committee of our executive leadership team to consider cybersecurity risk, mitigation strategies, and to consider trends and developments in managing the risk. Our CIO and ISD participate on this committee, which meets regularly. We have an established incident response plan led by our CIO and ISD to assess, respond, and report in the event of a cybersecurity incident. Depending on the nature and severity of the incident, the plan requires escalating notifications up to our CEO and our Board. Cybersecurity Risk Management Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program in a similar fashion to other legal, compliance, strategic, operational, and financial risk areas. Our program is guided by cybersecurity frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), although we also look to other standards to help us identify, assess, and manage cybersecurity risks relevant to our business. Our approach to cybersecurity risk management includes: Periodic risk assessments designed to help identify significant or potentially material cybersecurity risks to our critical systems, information, and our broader enterprise information technology (IT) environment; The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; A multi-layered defense and continuous monitoring strategy employing various tools and testing, and incorporating lessons learned from our defense and monitoring efforts to help prevent future attacks; Cybersecurity awareness training, including interactive simulations and tabletop exercises for our employees, incident response personnel, senior management, and our Board; Regular testing by our Internal Audit function of controls related to our financial information systems; and Information security assessments conducted on third parties with whom we share sensitive electronic data against established cybersecurity frameworks; While we have experienced cybersecurity incidents in the past, to-date none have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in cybersecurity and the resiliency of our networks, including our controls and processes, all of which are designed in an effort to protect our IT systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Risk Factors Business, Operational, and Strategic Risks. 13 Table of Contents

Company Information