Fortive Corp 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Fortive Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:48:02 EST.

Filings

10-K filed on 2024-02-27

Fortive Corp filed an 10-K at 2024-02-27 16:48:02 EST
Accession Number: 0001659166-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our process for assessing, identifying, and managing material risks associated with cybersecurity threats, including risks related to disruptions to our operations, compromise of our intellectual property rights, data privacy, litigation and other legal liability and reputational impacts, is an important component of our overall enterprise risk management process. As part of this process, both corporate and operating company leaders collaborate with subject matter experts to identify and assess cybersecurity threats and implement relevant countermeasures. In addition to this component of our overall risk management process, we have separate cybersecurity-specific risk assessment and management processes that are managed centrally and executed at both the corporate and operating company levels. These processes, including corresponding controls, are designed to help us protect against, detect, and respond to cybersecurity threats, and to manage business continuity, the availability of critical systems, product security, disclosure controls and procedures, escalation, and regulatory compliance in the event of any cybersecurity disruption. As part of our cybersecurity controls and processes: we have designed our cybersecurity program based on the National Institute of Security and Technology ( NIST ) framework, Generally Accepted Privacy Program ( GAPP ) guiding principles, and ISO 27001/2 standards; our cybersecurity team, led by our Chief Information Officer ( CIO ) and Chief Information Security Officer ( CISO ) coordinates with our privacy and information governance team within our legal department to help ensure compliance with applicable regulatory and reporting requirements; the CIO and CISO undertake an annual review of the cybersecurity strategy and initiatives for Fortive and each of the operating companies, with monthly reviews of performance relative to strategic initiatives with the Chief Executive Officer ( CEO ) and the other executive officers; the CIO and CISO participate in product design efforts with operating company leaders to enhance our product security; through the compliance training program, we conduct mandatory cybersecurity management, data privacy and incident training for all employees; we conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to possible threats; through policy, practice and contract provisions, we require employees, as well as third-party vendors who process data, to treat customer and other personal information and data with care and in compliance with regulations; we run tabletop exercises conducted by leading third-party cybersecurity experts, with involvement by the broader IT team, legal team, communications team, executive management team, and the Board, to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; we conduct regular network and endpoint monitoring, vulnerability assessments, and penetration testing designed to improve our information systems; we review and update, and provide training, on cybersecurity incident response plans, business continuity plans, and cyber incident escalation plans, including the involvement of our Disclosure Committee (which includes our CISO as a regular member); as part of that cyber incident escalation plan, our Disclosure Committee reviews cybersecurity incidents to assess materiality and consider disclosure requirements; 25 Table of Contents the CISO meets with the information security teams at the operating companies on a monthly basis, or as needed, to review escalated items, compliance with incident response plans, and performance against strategic targets; the CIO and the CISO meet with the CEOs of our operating segments and the presidents of our operating companies to discuss IT strategies, updates, and initiatives, including those related to cybersecurity; the CIO and the CISO meet with the Audit Committee on a quarterly basis and the full Board on an annual basis to provide updates on the cybersecurity program, including controls and processes, strategies, achievements, risks, and recent incidents; the CIO and the CISO also meet with the full Board on an annual basis as part of the overall enterprise risk management review; and the CISO, as a member of the Disclosure Committee, meets with other members of the Disclosure Committee to discuss materiality and disclosure with respect to cybersecurity matters. As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly having independent cybersecurity experts conduct tabletop exercises, conduct penetration tests, and review our cybersecurity program to help identify areas for continued focus, improvement and compliance. In addition, our processes also address cybersecurity threat risks associated with our use of third-party software and service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our broader overall risk assessment process, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on critical third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties to agree by contract to manage their cybersecurity risks in specified ways to be subject to cybersecurity audits, which we may conduct as appropriate. To date, we believe that the risks from identified cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Refer to the discussions under the headings Significant disruptions in, or breaches in security of, our information technology systems have adversely affected, and in the future could adversely affect, our business included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, and Overview-Other Matters included as part of our Management s Discussion and Analysis of Financial Condition and Results of Operations ( MD&A ) at Item 7 of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and provides regular reports to the entire Board. In addition, at least annually, the entire Board receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Board generally receives materials indicating current and emerging material cybersecurity threat risks and describing the company s ability to mitigate those risks, and discusses such matters with our CIO and CISO. Material cybersecurity threat risks are also considered during separate Board meeting discussions of overall key enterprise risks, operational budgeting, crisis management planning, and other relevant matters. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CIO and our CISO. Our CIO and our CISO have over 30 years and 25 years, respectively, of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and implementing business continuity planning and incident response plans. Our CIO and CISO each hold several degrees and certifications relevant to their roles. Our CIO and our CISO are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, oversight of the entire IT function, including at Fortive Corporation and the IT leaders at our operating companies. 26 Table of Contents Our CIO and our CISO report to the Audit Committee and to the full Board about cybersecurity threat risks and other cybersecurity related matters. In addition, under our escalation policy, following the detection of a potentially significant cybersecurity incident, our CISO and our General Counsel escalate to the Executive Officers, core members of the Disclosure Committee, Chair of the Audit Committee and the Chair of the Board initially, and then to the entire Board, as appropriate.

Company Information