BADGER METER INC 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

BADGER METER INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 13:26:48 EST.

Filings

10-K filed on 2024-02-16

BADGER METER INC filed an 10-K at 2024-02-16 13:26:48 EST
Accession Number: 0000950170-24-016245

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company s Board and management recognize the importance of maintaining the trust and confidence of our customers, clients, business partners and employees, and that effective risk oversight is critical in running a successful business and fulfilling its fiduciary responsibilities to the company and its shareholders. Our Board is responsible for assuring that an appropriate culture of risk management exists within the Company and for setting the right tone at the top. The Board oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance and enhance shareholder value. A fundamental part of risk management is not only understanding the risks a company faces and what steps management is taking to manage those risks, but also understanding what level of risk is appropriate for the Company. The involvement of the full Board in setting the Company s business strategy is a key part of its assessment of management s tolerance for risk and also a determination of what constitutes an appropriate level of risk for the Company. Refer to Part I, Item 1A. Risk Factors of this 2023 Annual Report on Form 10-K for further information about the Company’s overall ERM process. Risk Management and Strategy Cybersecurity is a critical component of the Company s ERM program. The Company has established an information security framework to help safeguard the confidentiality, integrity, and availability of information assets and ensure regulatory, operational, and contractual requirements are fulfilled. The Company s cybersecurity program is focused on the following key areas: Governance : The Board provides oversight of the ERM process and reviews the significant identified risks. The Board s oversight of cybersecurity risk management is supported by the Audit and Compliance Committee, which regularly interacts with the Company s senior management, including the Director - Information Systems (i.e. the Company’s chief information officer). The Company s various Board committees also play a role in risk management, as detailed in their respective charters. Collaborative Approach : The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the materiality, public disclosure and reporting of such incidents can be made by management in a timely manner. Senior leadership also briefs the Board on information security matters at least annually. Technical Safeguards : The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, such as machine learning intelligence platforms with an array of technologies, extensive encryption, firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated 16 and improved through vulnerability assessments and cybersecurity threat intelligence. The frameworks used to guide the deployment of technical safeguards include: International Organization for Standardization (ISO) 27001, Service Organization Control 2 (SOC 2), Sarbanes Oxley (SOX), and National Institute of Standards and Technology (NIST). The Company has been ISO 27001 certified since 2015 and is externally audited and certified annually by a leading IT compliance attestation firm. Incident Response Planning : The Company has established, maintains and regularly tests incident response plans that address the Company s overall preparedness and response to a cybersecurity incident. The plans include, among other steps, assessment processes to determine the magnitude and materiality of an incident, an analysis of the need and method to communicate to various constituencies (customers, employees, authorities, etc.), and the requirements for public and regulatory disclosure. In addition to this response planning framework, among other mitigating actions the Company maintains an insurance policy for cybersecurity liability that provides not only coverage for breaches, but also loss prevention services and claims advisors. Third Party Risk Management : The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third party systems. Third parties are granted access to systems based on the principle of least privilege. Education and Awareness : The Company provides mandatory annual training for personnel regarding cybersecurity threats to educate employees with effective tools and knowledge to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. Quarterly internal phishing tests are performed, and periodic and/or thematic email communications are provided throughout the year to raise awareness. Individual training is given to personnel as needed. Governance The Board oversees the Company s ERM process, including the management of risks arising from cybersecurity threats. The Board receives annual cybersecurity updates from senior management, and the Audit and Compliance Committee provides a deeper level of oversight through an annual review to management s approach to cybersecurity risk with the Director Information Systems. The Board and the Audit and Compliance Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Director Information Systems, in coordination with management, works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response plans. Management is actively involved in the incident response and risk management process (mitigation, transference, and acceptance). IT Management and General Counsel are explicitly informed by the internal security team and Managed Security Service Provider (MSSP) of incidents and periodically updated on the investigation progress and impact of the incident. Management also receives explicit monthly summaries on all incidents. Major incidents are reported to company management and summarized at an annual management review meeting. Internal IT Management has the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC/SANS Certified Forensic Examiner, Magnet Certified Forensic Examiner, BBA Information Technology Emphasis Security, and CompTIA Security+. While the Company has experienced, and expects to continue to experience, cyber threats, no material security breaches of third-party information have occurred. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A Risk Factors under the heading General, which should be read in conjunction with the foregoing information.

Company Information