Crane Co 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Crane Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 14:24:20 EST.

Filings

10-K filed on 2026-02-26

Crane Co filed a 10-K at 2026-02-26 14:24:20 EST
Accession Number: 0001944013-26-000095

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our cybersecurity program is staffed by a team of skilled cybersecurity professionals, with many having Certified Information Systems Security Professional (CISSP) credentials, and one or more Global Information Assurance Certification (GIAC)/The Sans Institute (SANS) cybersecurity certificates. Our response team members are in various global locations to ensure 24/7 monitoring and response capabilities and are backed by a 24/7 Managed Security Services Provider (MSSP) who monitors cybersecurity alerts. We maintain annual training for all employees on cybersecurity standards, as well provide monthly trainings on how to recognize and properly respond to phishing, social engineering schemes and other cyber threats. The Company provides our employees with an intuitive mechanism to easily report suspicious emails which are analyzed by our security systems and dedicated incident response team. Monthly "test" phishing emails are sent to our associates. Any failures trigger a retraining exercise if not properly reported and a monthly training vignette on cybersecurity awareness. We regularly engage independent third parties to test our information security processes and systems as part of our overall enterprise risk management program. Crane Company was separated from its parent company, Crane Holdings, on April 3, 2023, and since the separation and during the 5 years prior to separation, no attempted cyber-attack or other attempted intrusion on our information technology networks has resulted in a material adverse impact on our operations or financial results, in any penalties or settlements, or in the loss or exfiltration of material or sensitive Company data. Crane recognizes the inherent cyber risks associated with relying on third-party vendors such as cloud service providers, software vendors, data processors, and IT service providers with access to Company information, systems, or processes. Crane is committed to managing these risks responsibly and transparently and has an active process in place to assess and reduce that risk, including performing due diligence on third-party vendors before onboarding and evaluation and assessing their cybersecurity policies. In the event an attack or other intrusion were to be successful, we have a response team of internal and external resources engaged and prepared to respond. Although our third-party service providers have encountered cybersecurity incidents, these incidents have not had a material impact on Crane Company, including our business strategy, results of operations or financial condition. The Company maintains cyber risk and related insurance policies as a measure of added protection Cybersecurity Governance Our cybersecurity program is led by Crane Company's Chief Information Security Officer ("CISO") , who regularly reports to our executive team about our program, including a review of cyber threat trends, our information security organization and staffing, and the status of ongoing efforts and investments to strengthen our cybersecurity defenses. We utilize a risk based, multi-layered information security framework following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) critical security controls. We have adopted and implemented a systematic approach measuring ourselves against this multi-layered framework to identify and mitigate security risks that we believe are commercially reasonable for manufacturing companies of our size and scope and commensurate with the risks we face. The senior executive team, including the CISO, provide a minimum of two formal program updates each year to the Audit Committee of our Board of Directors. .

Company Information