Johnson Controls International plc 10-K Cybersecurity GRC - 2025-11-14

Page last updated on November 14, 2025

Johnson Controls International plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-14 10:53:01 EST.

Filings

10-K filed on 2025-11-14

Johnson Controls International plc filed a 10-K at 2025-11-14 10:53:01 EST
Accession Number: 0000833444-25-000097

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Cybersecurity Strategy and Risk Management The Company faces a wide variety of cybersecurity threats ranging from uncoordinated individual attempts to gain unauthorized access to information technology ("IT") systems to sophisticated and targeted measures known as advanced persistent threats directed at the Company, its products, its customers, supply chain and/or its third-party service providers, including cloud providers. These threats and incidents originate from many sources globally. The Company's cybersecurity policies, standards, and procedures apply to all users, creating awareness of threats and the importance of information security and cybersecurity across the Company's workforce. These policies and standards are reviewed annually to reflect emerging threats and evolving industry practices, including elements of recognized standards such as ISO 27001 and the NIST Cybersecurity Framework for the overall enterprise and ISA/IEC 62443 for automation and control system products. The Company has implemented cybersecurity policies throughout its operations, including designing and incorporating cybersecurity into the development process for its products and services. The Company's enterprise risk management ("ERM") process considers cybersecurity threat risks alongside other significant risks as part of the Company's overall risk assessment process. The Company leverages multiple channels to promote cybersecurity topics, deliver targeted initial and refresher training for all users, and conduct an annual mandatory global information security training campaign with certification, which is translated into 20 languages, and ongoing awareness campaigns. These elements are designed to maintain a risk aware culture. The Company maintains a 24 x 7 operations center that monitors the Company's IT environment and coordinates the investigation and remediation of alerts. As cybersecurity events occur, the cybersecurity team focuses on responding to and containing the threat and minimizing impact. In the event of an incident, the cybersecurity team assesses, among other factors, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with participation from technical, legal and law enforcement support, as appropriate. The Company's vulnerability management program conducts assessments with specified frequencies for specific asset types to validate system health against known threats. The Company leverages multiple tools, which are routinely updated with new threat signatures, to continually respond to evolving threats identified as part of its threat detection capability. The Company also maintains a cybersecurity insurance policy. The Company engages with third parties to perform security assessments of its technology environment, including penetration testing and maturity assessments, in addition to providing services to support threat analysis and incident detection and response. Cybersecurity considerations affect the selection and oversight of the Company's third-party product and service providers . The Company performs due diligence on third parties that have access to its critical systems and data and whose products and services are integrated into the Company's products. Contractual undertakings and oversight are put in place, based on the results of the risk assessment to manage and reduce the cybersecurity risk associated with such third-party providers. Such undertakings may include requirements to comply with administrative, technical and physical safeguards to provide notification of cyber incidents involving the Company's systems or data and agreements to be subject to cybersecurity audits, which the Company conducts as appropriate . The Company requires compliance with appropriate certifications (e.g., SOC 2, ISO 27001, etc.) or appropriate alternative requirements, depending on the offering, region of use, and other factors. The Company's results of operations, and financial condition were adversely affected by its previously disclosed September 2023 cybersecurity incident due to lost and deferred revenues, remediation expenses and billing and cash collection. However, the overall impact of the cybersecurity incident did not have a material impact on net income, net of insurance recoveries, or 26 cash flows from operations for fiscal year 2024. The Company is regularly subject to cybersecurity threats. See "Risk Factors" in Item 1A of this Annual Report on Form 10-K for more information on risks from cybersecurity threats. Cybersecurity Governance The Company's Board of Directors (the "Board") has oversight of the management of the most significant risks facing the Company, including cybersecurity. The Board receives information technology and cybersecurity updates from senior management, including the Chief Digital and Information Officer ("CDIO") and Chief Information Security Officer ("CISO") several times per year. These updates cover the cybersecurity risks facing the Company's enterprise information technology environment, as well as the Company's digital products and services. Regular oversight of cybersecurity matters is further delegated by the Board to the Governance and Sustainability Committee. The Governance and Sustainability Committee provides a deeper level of oversight through quarterly engagements with senior management, including the Chief Digital and Information Officer and CISO, to review the Company's cybersecurity program, including the highest risk areas and key mitigation strategies. The Company maintains a Cybersecurity Steering Committee ("CSC") designed to ensure effective governance of risks associated with the Company's use of information and technology assets and demonstrate effective governance of cybersecurity risk. The CSC is chaired by the CISO, and includes the Company's Chief Financial Officer, General Counsel, CDIO, and other senior representatives from the Company's business segments and functions. The CSC meets quarterly to monitor the current risk landscape and active risk reduction efforts. Through this review and monitoring activity, the CSC oversees effective governance of IT Risk Management in the Enterprise IT Portfolio, drives accountability and transparency of control effectiveness, and facilitates risk remediation and mitigation in a coordinated and comprehensive manner. The CISO has been appointed by the Chief Digital and Information Officer and is responsible for cybersecurity risk management across the Company. The CISO leads a global enterprise security team responsible for enterprise-wide security strategy, architecture, engineering, and operations. The CSC has granted authority to the CISO to pause or stop business processes during the execution of cybersecurity incident response duties if they deem it necessary. The CSC maintains approval authority for the Company's Enterprise Information Security Policy. The CISO has over 20 years of technology experience including cybersecurity, infrastructure, architecture, and data and analytics in highly regulated industries including healthcare and aviation and defense. The CISO has an undergraduate degree in Computer Information Systems .

Company Information