Xylem Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Xylem Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 14:28:06 EST.

Filings

10-K filed on 2024-02-28

Xylem Inc. filed an 10-K at 2024-02-28 14:28:06 EST
Accession Number: 0001524472-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER SECURITY. We have implemented a comprehensive cybersecurity program guided by recognized industry practices and frameworks and we continue to evolve the program in order to be able to assess, identify and manage risks from the continually evolving cybersecurity threat landscape. Our cybersecurity program encompasses our enterprise information technology, including operational technology and technology of third parties on which we rely, and connected products and services. Although we maintain a cybersecurity program that we believe is reasonably designed to protect the Company, cybersecurity threats may result in adverse effects on the confidentiality, integrity, and availability of our information systems or those of third parties on which we rely, and our connected products and services. Management and Internal Cybersecurity Team Our Chief Information Officer ( CIO ), who has over 30 years of relevant work experience in information technology, including cybersecurity, is responsible for the Company s information technology systems and cybersecurity and is an integral part of the Company s management of cybersecurity and related risks. The CIO reports to the Senior Vice President, Operations and Supply Chain, who reports directly to the Chief Executive Officer. 29 Our Chief Information Security Officer (“CISO”), who has extensive cybersecurity knowledge and skills gained from over 25 years of relevant work experience and holds the Certified Information Systems Security Professional certification, reports to the CIO. The CISO is responsible for assessing, monitoring and advising the Company s businesses, management and the Board of Directors ( Board ) on the Company s risks from cybersecurity threats; implementing cybersecurity strategy, programs and processes across our enterprise and connected products and services; reviewing the risk management measures implemented by the Company to identify and mitigate cybersecurity risks; and overseeing the maintenance and deployment of the Cybersecurity Incident Response Plan. The Company s Cybersecurity Team ( Team ), comprised of individuals with a broad range of cybersecurity skills, experiences and certifications, is led by the CISO. The Team is responsible for the implementation, monitoring and maintenance of the Company s cybersecurity practices in coordination with its businesses, operations and functions, and oversees the Company s cybersecurity program, including infrastructure, governance and incident response as detailed below. On a regular basis, the CISO receives reports from the Team on these cybersecurity program matters. In addition, the CISO also receives reports and updates on incident response and cybersecurity threats. Risk Management and Strategy The CISO and Team manage a program for enterprise cybersecurity that is guided by the National Institute of Standards and Technology s ( NIST ) Cybersecurity Framework. Key areas of responsibility in the program include governance, risk and compliance, threat analysis and response, security architecture and engineering, security operations, and secure manufacturing operations. The CISO and Team also manage a program for connected products and services cybersecurity risk management that is guided by the ISA/IEC 62443 standard to enable protection and resiliency across products and services. Key areas of responsibility include product security, software development, innovation management, threat analysis and incident response. Both the enterprise and connected products and services programs are designed to assess, identify and manage risks from cybersecurity threats in order to protect and preserve the security, integrity and continued availability of the Company s information technology systems and connected products and services, and also to protect the confidentiality and integrity of information owned by, or in the custody and care of, the Company. Elements of the programs include policies, standards, architecture, processes, tools, technology, employee education and training, and incident response. Our risk management processes undergo at least quarterly review to identify potential gaps and areas for additional investment, resources and focus. Our enterprise and product security programs undergo regular testing, including periodic vulnerability scanning and penetration testing. In addition, we also periodically engage third parties to assess our enterprise and product security programs and provide consultation and advice to assist with assessing, identifying, and managing cybersecurity risks. Our Enterprise Risk Management ( ERM ) Program annually assesses and, on an ongoing basis, monitors the Company s key risks, including cybersecurity risk. We maintain a suite of policies the Cybersecurity Policy, the Product Cybersecurity Policy and the Acceptable Use of Information Technology Resources Policy that apply globally to all of our employees, businesses and functions, as well as third-party vendors and contractors as required by our legal agreements with them. These policies specify roles and responsibilities, fundamental principles and proper controls required for Xylem s protection. Our policies are reviewed annually to identify potential gaps or areas for improvement, considering changes in the Company, and its connected products and services, as appropriate. Our Code of Conduct, implemented by the Board, requires our employees adherence with our policies and practices, including with respect to cybersecurity risk management. Employees receive ongoing annual education and training regarding relevant cybersecurity risks and practices, including how to protect information and systems from cyber threats. We also conduct monthly phishing simulations to increase employees ability to detect and prevent such threats. Through our internal social media channel, we provide cybersecurity alerts and education. In addition, our policies require the use of a cyber risk management process to onboard new suppliers and other third parties. The Company s cybersecurity risk mitigation strategy includes the use of risk transfer via insurance that provides protection against certain potential losses arising from certain cybersecurity incidents. 30 Board of Directors Our Board recognizes the importance of maintaining the trust and confidence of our customers, suppliers, employees and shareholders. In line with its broader strategic oversight, the Board oversees cybersecurity, including strategy and processes. To assist with oversight of cybersecurity, the Board has delegated to the Audit Committee responsibility to oversee certain aspects of cybersecurity, including controls and reporting. As part of its independent oversight of the key risks facing the Company, the Board and Audit Committee devote considerable time and attention to the oversight of management s approach to cybersecurity and related risk mitigation, including strategy, controls. resources, policies, standards, processes and practices. At least semi-annually, the Audit Committee or full Board receive reports from the CIO and CISO. Such reports include updates on the Company s cybersecurity risk profile, assessments of the Company s enterprise and product security programs, management s strategy for managing risks, measures implemented to identify and mitigate cybersecurity risks, the status of projects to strengthen the Company s cybersecurity posture, the emerging cybersecurity threat landscape, and other relevant topics. We have protocols and processes by which certain cybersecurity incidents, as specified by our Cybersecurity Incident Response Plan, are escalated within the Company and, as appropriate, to the Audit Committee. These escalation protocols are periodically reviewed and updated, as needed. The Board receives a report on the results of the Company s annual ERM Program risk assessment, as well periodic updates on the ERM Program, including ongoing monitoring of the Company s risks, as appropriate. The ERM Program has identified cybersecurity as one of the Company s primary risks. Key Internal Governance Bodies Xylem has a number of committees to bolster business resilience, protect shareholder value and enable compliance with regulatory requirements. The Enterprise Risk Committee ( ERC ), a key component of the Company s ERM Program, is comprised of senior executives and is responsible for reviewing the Company s key risks as identified by the ERM Program, including cybersecurity, and overseeing the Company s identification, assessment, management, mitigation and ongoing monitoring of these risks. As such, the ERC periodically receives reports from the CISO on cybersecurity risk. The Cyber Risk Committee ( CRC ), comprised of a cross-functional group of senior executives including the CIO, CISO, Chief Financial Officer and General Counsel, provides advice and governance regarding the Company s strategic management of cybersecurity across the Company, including cybersecurity risk posture, projects, issues, threat intelligence and escalations. The CRC meets at least quarterly and receives reports and presentations from the CISO or third parties on internal and external cybersecurity matters; and, as appropriate, briefings from the CISO on cybersecurity incidents, the Company s incident response, recovery and remediation, and actual or potential impacts. Incident Response Our Cybersecurity Incident Response Plan ( IRP ), which generally aligns with NIST’s guidance, provides management with a standardized framework for responding to an actual or potential cybersecurity threat or incident. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP also specifies the use of third-party experts for legal advice, consulting and incident response, as appropriate. The IRP undergoes at least annual tabletop exercises, where the Incident Response Team and relevant business and functions drill our response to a simulated cyber incident. The results of these drills are used to identify areas for improvement in our processes and technologies. Material Cybersecurity Risks, Threats & Incidents Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. While we have not experienced any material cybersecurity threats or incidents as of the date of this Report, our cybersecurity program might not be able to prevent or mitigate future successful attacks, threats or incidents. As detailed elsewhere in this Report, we also rely on information technology and other third-party vendors and strategic joint venture partners to support our business and operations, including our secure processing of personal, confidential, financial, sensitive, proprietary and other types of information, and to enable our connected product and service offerings. Despite ongoing efforts to improve our and third parties ability to protect against cyber threats, we may not be able to protect all information systems or connected products and services. Cybersecurity incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. For a more detailed discussion of these risks see the discussion set forth under Item 1A. Risk Factors in this Report. 31

Company Information