Xylem Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Xylem Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 13:36:17 EST.

Filings

10-K filed on 2026-02-25

Xylem Inc. filed a 10-K at 2026-02-25 13:36:17 EST
Accession Number: 0001524472-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy Cybersecurity is integrated into our Enterprise Risk Management ("ERM") Program, which assesses and monitors risks across the Company, including cyber threats and related risk mitigation plans. We maintain a comprehensive cybersecurity program covering enterprise information technology ("IT"), operational technology, and third-party systems on which we rely, as well as our connected products and services. This program is guided by the National Institute of Standards and Technology's ("NIST") Cybersecurity Framework and the ISA/IEC 62443 standard, respectively. Our program is designed to assess, identify and manage risks from cybersecurity threats in order to protect and preserve the security, resiliency, integrity and continued availability of the Company's enterprise IT and operational technology systems and connected products and services, while also protecting the confidentiality and integrity of information owned by, or in the custody and care of, the Company. Key areas of responsibility include: governance, risk and compliance; threat analysis and incident response; security architecture and engineering; security operations; product security; software development; and innovation management. We employ policies, processes, tools, technology, training, incident response and regular testing - such as vulnerability scans and penetration tests of our enterprise and product security programs - to identify and mitigate cybersecurity risks. Third-party assessments of these programs are conducted periodically to assist with identifying, assessing, and managing cybersecurity risks. We maintain cybersecurity policies that apply to all employees, as well as third-party vendors and contractors as required by applicable legal agreements. These policies specify roles and responsibilities, fundamental principles, and proper controls required for Xylem's protection, and also require the use of certain risk management processes to onboard new suppliers and other third parties. We periodically review our policies to identify potential gaps or areas for improvement, considering changes in the Company and its connected products and services, as appropriate. Our Cybersecurity Incident Response Plan ("IRP") generally aligns with NIST's guidance and provides management with a standardized framework for responding to an actual or potential cybersecurity threat or incident. The IRP sets out procedures for investigating, containing, documenting and mitigating incidents, keeping management and other key stakeholders informed, reporting findings, and engaging third-party experts for advice and incident response, as appropriate. The IRP is tested at least annually for effectiveness and to identify areas for improvement in our processes and technologies. As specified by our IRP, we have protocols and processes by which certain cybersecurity incidents are escalated within the Company and, as appropriate, to the Board of Directors ("Board"). 26 Employees receive ongoing education and training on relevant cybersecurity risks and practices, including periodic refreshers on how to protect information and systems from cyber threats, as well as monthly phishing simulations. We also maintain cyber insurance to mitigate potential financial exposure from certain incidents. Governance Our Board oversees cybersecurity, including strategy, risk and processes. At least semi-annually, the Board receives reports from the Chief Information Officer ("CIO") or the Chief Information Security Officer ("CISO"). Reports may include updates on the Company's cybersecurity risk profile, cyber program assessments, risk management strategy, measures implemented to identify and mitigate cybersecurity risks, the status of projects to strengthen the Company's cybersecurity posture, the emerging threat landscape, and other relevant topics. The Board also reviews ERM Program findings, including those related to cybersecurity risk. The Company's Cyber Risk Committee ("CRC"), comprised of a cross-functional group of senior executives, advises on cybersecurity governance and strategic matters, and receives periodic briefings from the CISO or external experts, including related to cybersecurity risk posture, projects, issues, threat intelligence and escalations. T he CRC also receives briefings from the CISO on cybersecurity incidents, including incident response, recovery, remediation, and actual or potential impacts. Our CISO has extensive cybersecurity knowledge and skills gained from over 25 years of relevant work experience, and is a Certified Information Systems Security Professional. The CISO is responsible for assessing, monitoring and advising the Company and the Board on risks from cybersecurity threats; implementing cybersecurity strategy, programs and processes across our enterprise and connected products and services; reviewing risk management measures to identify and mitigate cybersecurity risks; and overseeing our IRP. The CISO leads the Company's Cybersecurity Team comprised of individuals with a broad range of cybersecurity skills, experiences and certifications. The Cybersecurity Team oversees the Company's cybersecurity program and is responsible for the implementation, monitoring and maintenance of the Company's cybersecurity practices in coordination with the business teams and functions. Material Risks, Threats & Incidents Although we have experienced actual and attempted cybersecurity threats and incidents in the past, we do not believe that the risks from any of these threats or incidents, individually or in the aggregate, have materially affected our business, operations or financial condition, or are reasonably likely to have such an effect. However, due to the evolving nature of cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. For further discussion of our cybersecurity risks, see "Item 1A. Risk Factors" in this Report. 27

Company Information