WATTS WATER TECHNOLOGIES INC 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 23, 2026

WATTS WATER TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 14:55:41 EST.

Filings

10-K filed on 2026-02-23

WATTS WATER TECHNOLOGIES INC filed a 10-K at 2026-02-23 14:55:41 EST
Accession Number: 0001104659-26-018541

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management capability designed to protect the confidentiality, integrity, and availability of our critical IT Systems, digital assets, and operational technologies, and to support business continuity, customer trust, and enterprise resilience. We design and assess our cybersecurity risk management capability using the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF") as a structured, risk-based reference. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use NIST CSF to inform how we identify, assess, prioritize, and manage cybersecurity risks relevant to our business, including decisions related to controls, investments, and maturity progression. Our cybersecurity risk management processes are integrated into our overall risk management program and share common methodologies, reporting channels, and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes the following, among other elements: ● risk assessments designed to help identify material cybersecurity threats to our critical IT Systems and information; ● a security team principally responsible for managing our (1) cybersecurity risk assessment processes, (2) security controls, and (3) response to cybersecurity incidents; ● the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security processes; ● risk review of certain third-party service providers, including software vendors , third-party cloud services, and third-party hosting services , with ongoing risk monitoring for critical vendors through an external cybersecurity intelligence service; ● cybersecurity awareness training of our employees, including incident response personnel, and senior management; ● a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents including escalation, communication, and recovery protocols , and ● periodic evaluation of our cybersecurity capabilities to identify opportunities for improvement and to prioritize enhancements based on risk, threat intelligence, and business needs. Ongoing Risks We have not experienced any material cybersecurity incidents . We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We monitor the evolving cybersecurity threat landscape, including risks associated with ransomware, supply-chain and third-party dependencies, and emerging technologies. However, we face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For a full discussion of cybersecurity risks, please see our Risk Factors in Item 1A. Management Oversight of Cybersecurity Our Chief Information Officer ("CIO") and the Vice President ("VP") of Information Security have primary responsibility for our cybersecurity risk management capability, including establishing cybersecurity strategy, overseeing risk mitigation priorities, and supervising both internal cybersecurity personnel and retained external cybersecurity consultants. Our CIO and VP of Information Security collectively have over 30 years of experience in leading information technology and security functions across strategy, architecture, engineering, and operations. The CIO and VP of Information Security take steps to stay informed and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include, but are not limited to, risk assessments, including with the support of external advisors, briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment. Management and relevant stakeholders periodically participate in cybersecurity incident response exercises designed to test preparedness, decision-making, and escalation procedures. Our Cybersecurity Council, comprised of cross-functional senior leaders from operations, finance, internal audit, product management, and information technology teams, also reviews and assesses security risks and issues from a business and technology perspective across all organizations within the Company on a quarterly basis, with the guidance and input of the CIO and VP of Information Security. The Cybersecurity Council provides oversight to help support alignment between cybersecurity risk management activities and business priorities, including operational continuity, financial impact, and product considerations. Our executive management team is responsible for assessing our material, or reasonably likely to be material, risks from cybersecurity threats with the advice and input of the CIO and VP of Information Security, including based on the above and from external advisors as necessary. Board Oversight of Cybersecurity Our Board considers cybersecurity risks as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity. The Audit Committee oversees management's implementation of our cybersecurity risk management program and receives updates on our cybersecurity risk management program from the CIO and the VP of Information Security at least twice yearly; however, only one update was provided in 2025 due to our transition to a new CIO. In addition, management updates the Audit Committee regarding any material or significant cybersecurity incidents, as well as incidents with lesser impact potential or other significant emerging risks, as appropriate. The Audit Committee reports to the full Board at least annually regarding cybersecurity matters . The full Board also receives annual briefings from the CIO and the VP of Information Security on cybersecurity, or from external experts on cybersecurity as part of the Board's continuing education on topics that impact public companies.

Company Information