FEDERAL SIGNAL CORP /DE/ 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

FEDERAL SIGNAL CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:19:34 EST.

Filings

10-K filed on 2025-02-26

FEDERAL SIGNAL CORP /DE/ filed a 10-K at 2025-02-26 16:19:34 EST
Accession Number: 0000277509-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity , of this Form 10-K for more information on our cybersecurity risk management and governance. Infringement of, or an inability to protect, our intellectual property rights could adversely affect our business. We rely on a combination of patents, trademarks, copyrights, nondisclosure agreements, IT security systems, physical security, and other measures to protect our proprietary intellectual property and the intellectual property of certain customers and suppliers. However, we cannot be certain that our efforts to protect these intellectual property rights will be sufficient. Intellectual property protection is subject to applicable laws in various jurisdictions where interpretations and protections differ or can be unpredictable and costly to enforce. Further, our ability to protect our intellectual property rights may be limited in certain foreign jurisdictions that do not have, or do not enforce, strong intellectual property rights. Any failure to protect or enforce our intellectual property rights could have a material adverse effect on our competitive position, financial condition, results of operations, or cash flow. Legal and Financial Risks We may incur material losses and costs as a result of lawsuits or claims that may be brought against us that are related to product liability, warranty, product recalls, intellectual property, client service interruptions, or other matters. We are exposed to product liability and warranty claims in the normal course of business in the event that our products actually or allegedly fail to perform as expected, or the use of our products results, or is alleged to result, in bodily injury and/or property damage. For example, we have been sued by firefighters seeking damages claiming that exposure to our sirens has impaired their hearing and that the sirens are, therefore, defective. In addition, we are subject to other claims and litigation from time to time, as further described in the accompanying notes to our consolidated financial statements. We could experience material product liability or warranty costs in the future and incur significant costs to defend ourselves against these claims. While we carry insurance and maintain reserves for product liability claims, our insurance coverage may be inadequate if such claims do arise, and any defense costs and liability not covered by insurance could have a material adverse impact on our financial condition, results of operations, or cash flow. A future claim could involve the imposition of punitive damages, the award of which, pursuant to state laws, may not be covered by insurance. In addition, warranty and certain other claims are not typically covered by insurance. Any product liability or warranty issues may adversely impact our reputation as a manufacturer of high-quality, safe products and may have a material adverse effect on our business. The costs associated with complying with environmental, safety, and other regulations could lower our margins. We, like other manufacturers, continue to face significant governmental regulation of our products, especially in the areas of the environment and employee health and safety. Several significant administrative law cases decided by the U.S. Supreme Court in 2024 may result in additional legal challenges to regulations and guidance issued by federal regulatory agencies. Successful challenges of certain regulations, any increased regulatory uncertainty, or delay or other impacts to the federal agency rulemaking process could adversely impact our business and operations. Increased public awareness and concern regarding climate change and other related matters at numerous levels of government in various jurisdictions may lead to additional international, national, regional, and local legislative and regulatory responses, and compliance with any new rules could be difficult and costly. These regulations could include environmental requirements applicable to manufacturing and vehicle emissions and regulations impacting our supply chain both nationally and internationally. Complying with environmental, safety, and other regulations has added and will continue to add to the cost of our products, could increase the capital required to support our business, and could affect the products and services that we offer. While we believe that we are in compliance in all material respects with these laws and regulations, we may be adversely impacted by costs, liabilities, or claims with respect to our operations under existing laws or those that may be adopted. These requirements are complex, change frequently, and have tended to become more stringent over time. Therefore, we could incur substantial costs, including cleanup costs, fines, and civil or criminal sanctions as a result of violation of, or liabilities under, environmental laws and safety regulations. Further, climate change regulations at the federal, state, or local level or in international jurisdictions could require us to limit emissions, change our manufacturing processes or product offerings, or undertake other activities which may require us to incur additional expense. For example, on March 6, 2024, the SEC adopted final rules that would require new climate-related disclosure in SEC filings, including certain climate-related metrics, greenhouse gas emissions, and information about climate-related targets and goals. The SEC stayed the final rules pending outcome of legal challenges in the Eighth Circuit Court of Appeals. If implemented, these requirements may increase the cost of our products, which may diminish demand for those products. Additionally, uneven application of environmental, safety, and other regulations could place our products at a cost or features disadvantage, which could reduce our revenues and profitability. An impairment in the carrying value of goodwill, intangible assets, or long-lived assets could negatively affect our financial position and results of operations. As of December 31, 2024, goodwill and intangible assets represented 27% and 11% of total consolidated assets, respectively. Rental equipment and properties and equipment are long-lived assets, which also collectively represented 22% of our total consolidated assets as of December 31, 2024. Goodwill and indefinite-lived intangible assets are tested for impairment annually, or more frequently if indicators of impairment exist. Definite-lived intangible assets and long-lived assets are reviewed for impairment whenever events or changes in circumstances indicate that the carrying amount may not be recoverable. In evaluating the potential for impairment of goodwill, intangible assets, and long-lived assets, we make assumptions regarding future operating performance, business trends, competition, and market and general economic conditions. Such analyses further require us to make certain assumptions about our net sales, operating margins, growth rates, and discount rates. There are inherent uncertainties related to these factors. An impairment charge may result from, among other things, a significant decline in operating results, adverse market conditions, unfavorable changes in applicable laws or regulations, or a variety of other factors. Our total consolidated assets and results of operations for the applicable period could be materially adversely affected if any such charge is recorded. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity The Company does not believe that there are currently any known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition. However, the Company could face risks from cybersecurity threats in the future that could have a material adverse effect on its business strategy, results of operations, or financial condition. For more information on the Company’s cybersecurity-related risks, see Item 1A, Risk Factors , of this Form 10-K. Risk Management and Strategy The Company’s processes for identifying, assessing, and managing material cybersecurity risks are incorporated into its overall Enterprise Risk Management process. The Company maintains a comprehensive cybersecurity risk management program, overseen by the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), to support the security, confidentiality, integrity, and availability of its critical IT systems and information. The Company conducts internal risk assessments, with the assistance of independent third parties, against standards including the National Institute of Standards and Technology Cybersecurity Framework. The assessment results are used to develop responsive cybersecurity controls and risk mitigation strategies. The Company’s cybersecurity risk management program provides the structure for managing the respective risks through the use of a combination of automated tools, technologies, and third-party monitoring, as well as ongoing employee education via cybersecurity training and security awareness communications. The Company’s cybersecurity risk management program includes an incident response plan, which provides a documented framework to support the timely and effective resolution of actual or attempted cybersecurity incidents. Cybersecurity incidents across the Company, and relevant third-party service providers, are tracked and significant incidents, as applicable, are promptly escalated to a cross-functional cybersecurity task force so that decisions regarding public disclosure can be made in a timely manner by management and the Board. The Company’s Internal Audit function performs audits to evaluate and report on compliance with cybersecurity policies and procedures, reviews internal control certifications from relevant third-party service providers, and tests IT system and network controls as part of its annual assessment of the effectiveness of the Company’s internal controls. Additionally, the Company engages third-party specialists to conduct periodic tests, incident simulations, and assessments to verify and continuously enhance its cybersecurity risk management program. Governance The Board has overall responsibility for the oversight of risk management and has delegated oversight of cybersecurity risk management to the Audit Committee. The Company’s CIO and CISO regularly report to the Audit Committee on cybersecurity risks, updates on key initiatives, and progress toward the Company’s objectives. In addition, the CIO provides updates to the Board, at least annually, on the Company’s broader IT strategy and key initiatives. The CIO and CISO have primary responsibility over the Company’s cybersecurity risk management program. Quarterly updates are provided to the Company’s IT Council, which is comprised of executive, business unit, and IT leaders from across the organization, regarding IT initiatives and risk management processes.
Item 1C. Cybersecurity The Company does not believe that there are currently any known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition. However, the Company could face risks from cybersecurity threats in the future that could have a material adverse effect on its business strategy, results of operations, or financial condition. For more information on the Company’s cybersecurity-related risks, see Item 1A, Risk Factors , of this Form 10-K. Risk Management and Strategy The Company’s processes for identifying, assessing, and managing material cybersecurity risks are incorporated into its overall Enterprise Risk Management process. The Company maintains a comprehensive cybersecurity risk management program, overseen by the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), to support the security, confidentiality, integrity, and availability of its critical IT systems and information. The Company conducts internal risk assessments, with the assistance of independent third parties, against standards including the National Institute of Standards and Technology Cybersecurity Framework. The assessment results are used to develop responsive cybersecurity controls and risk mitigation strategies. The Company’s cybersecurity risk management program provides the structure for managing the respective risks through the use of a combination of automated tools, technologies, and third-party monitoring, as well as ongoing employee education via cybersecurity training and security awareness communications. The Company’s cybersecurity risk management program includes an incident response plan, which provides a documented framework to support the timely and effective resolution of actual or attempted cybersecurity incidents. Cybersecurity incidents across the Company, and relevant third-party service providers, are tracked and significant incidents, as applicable, are promptly escalated to a cross-functional cybersecurity task force so that decisions regarding public disclosure can be made in a timely manner by management and the Board. The Company’s Internal Audit function performs audits to evaluate and report on compliance with cybersecurity policies and procedures, reviews internal control certifications from relevant third-party service providers, and tests IT system and network controls as part of its annual assessment of the effectiveness of the Company’s internal controls. Additionally, the Company engages third-party specialists to conduct periodic tests, incident simulations, and assessments to verify and continuously enhance its cybersecurity risk management program. Governance The Board has overall responsibility for the oversight of risk management and has delegated oversight of cybersecurity risk management to the Audit Committee. The Company’s CIO and CISO regularly report to the Audit Committee on cybersecurity risks, updates on key initiatives, and progress toward the Company’s objectives. In addition, the CIO provides updates to the Board, at least annually, on the Company’s broader IT strategy and key initiatives. The CIO and CISO have primary responsibility over the Company’s cybersecurity risk management program. Quarterly updates are provided to the Company’s IT Council, which is comprised of executive, business unit, and IT leaders from across the organization, regarding IT initiatives and risk management processes.

Company Information