WESTINGHOUSE AIR BRAKE TECHNOLOGIES CORP 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

WESTINGHOUSE AIR BRAKE TECHNOLOGIES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 16:02:42 EST.

Filings

10-K filed on 2024-02-14

WESTINGHOUSE AIR BRAKE TECHNOLOGIES CORP filed an 10-K at 2024-02-14 16:02:42 EST
Accession Number: 0001628280-24-004774

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy The security of the Company s products, data, services and network is a critical priority. To effectively assess, identify and manage material risks associated with cybersecurity threats, the Company has adopted a comprehensive approach with respect to acceptable use, risk management, data privacy, education and awareness, security incident management and reporting, identity and access management, third-party management, security (with respect to physical assets, products, networks and systems), security monitoring and vulnerability identification. The Company has, and continues to, invest in internal and external tools to better detect, patch, monitor, and restore systems. Further, the Company maintains cybersecurity insurance coverage intended to protect against loss of business and other related consequences resulting from cyber incidents. The Company also maintains a global incident response plan and regularly conducts exercises to help with our overall preparedness. The Company takes measures to improve and update our cybersecurity program, including independent third party assessments, penetration testing and scanning of our systems for vulnerabilities. The Company pairs with assessors, consultants, auditors, and other third-party service providers and advisers to assist in monitoring cybersecurity risks. The Company remains committed to preserving the integrity of its network, while remaining adaptable to identify new and emerging threats relying on both internal and external research and intelligence gathering. The Company has instituted a Cybersecurity Awareness Month program and the Cybersecurity Champion Network for continuous improvement via trainings and continued awareness on emerging cybersecurity risks. During 2022, the Company detected a cyber-security incident which impacted the Company s network. The Company promptly activated incident response protocols and completed a thorough investigation. The incidents did not have a material impact on our business, operations or financial results. Governance The Company and its Board understands the importance of maintaining a secure environment for our products, data and systems that effectively supports our business objectives and customer needs. Cybersecurity risks are overseen by the Audit Committee of the Board. The Senior Vice-President and Chief Information Officer ( CIO ) and Chief Information Security Officer ( CISO ) provide ongoing and continuing reports to the Audit Committee, which includes information about cyber-risk management, the effectiveness of the Company s cybersecurity framework, and benchmarking the Company against its industry peers. The CISO is responsible for navigating cyber risks, data access governance, security governance and global regulatory compliance related to cybersecurity regulations and industry standards. The Company also has a Chief Product Security Officer ( CPSO ) who manages imbedding cybersecurity in the Company s products and services as they are being developed. The Company s CIO, CISO, and cybersecurity team collectively have decades of experience in various roles managing information security, developing cybersecurity strategy, and implementing, planning and operationalizing a comprehensive global IT infrastructure. Our CIO and CISO maintain relevant degrees, certifications, and trainings while also being recognized as experts in their respective fields by industry leaders. The Company also conducts ongoing cyber security reviews which includes updates on the Company s enterprise cybersecurity risk and product cybersecurity risk. Risk is assessed utilizing internal key performance indicators and external 24 evaluations to determine the Company s cybersecurity score in comparison to its peer group. Wabtec’s Board of Directors participates in all enterprise annual security awareness training and phishing campaigns. Throughout the year, as appropriate, in addition to regularly scheduled updates, the Audit Committee, CIO, and CISO maintain an ongoing dialogue regarding the Company s cybersecurity risk and posture. The cybersecurity framework is also supported by Wabtec’s broader enterprise risk management process to ensure alignment of the Company s cybersecurity efforts with the Company s overall enterprise risk management.

Company Information