Eaton Corp plc 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Eaton Corp plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 15:24:16 EST.

Filings

10-K filed on 2026-02-26

Eaton Corp plc filed a 10-K at 2026-02-26 15:24:16 EST
Accession Number: 0001551182-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy. Eaton follows the U.S. National Institute of Standards and Technology (NIST) Cyber Security Framework to structure protocols for identifying, assessing and managing cybersecurity risks. In accordance with NIST guidance, Eaton maintains documented information security policies and standards to protect operations, assets, data and services and to defend against, respond to and recover from potential cyberattacks. These policies and standards include both preventive measures and reactive processes. Preventive measures include, but are not limited to, protective and detective cybersecurity systems, security monitoring, threat hunting and mandatory, enterprise-wide employee training. Eaton's reactive processes are captured primarily by a cyber incident response plan (the IRP), which is comprised of an evolving set of procedures developed by cross-functional experts, and external consultants, who draw upon technical proficiency and learnings from past experiences. All of these procedures and practices are tailored to Eaton's technology environment and are refined iteratively. Further, Eaton has an information risk management program that includes a vendor risk assessment process, whereby Eaton systematically oversees and identifies risks from cybersecurity threats related to its use of third-party service providers . The IRP is executed by an Incident Response Team (IRT), led by our Chief Information Security Officer (CISO). The exact composition of the IRT varies depending on the severity and potential impact of an incident, and will typically include stakeholders across corporate and business functions. The team collaborates with internal experts and may engage external resources to assess and contain a threat if deemed necessary. Such external resources may potentially include forensic investigation and response firms, law firms, external auditors, forensic accountants, and consultants who are on retainer contracts for expedited availability. Our cybersecurity risk management framework is integrated into our broader enterprise risk management program, which is designed to identify, assess and mitigate material risks. When cybersecurity risks are identified through the enterprise risk management program or other monitoring activities, they are escalated to relevant business and functional leaders within the Company for appropriate oversight, evaluation, and remediation. In addition, training and tabletop exercises are updated to reflect these risk insights, reinforcing a coordinated and comprehensive approach to managing cybersecurity threats. While cybersecurity threats remain a risk to the Company's business operations (see discussion in Item 1A. Risk Factors.), our robust risk mitigation strategies have been effective to date. Accordingly, no such threats have materially affected or are reasonably likely to materially affect the company, our business strategy, results of operations or our financial condition. Governance. While Eaton's Board of Directors as a whole provides oversight over our enterprise risk management program, the Audit Committee has the specific responsibility of providing oversight for cybersecurity risks . The Company's Chief Information Officer (CIO) and CISO report quarterly to the Audit Committee on any significant cybersecurity incidents, threats, mitigation strategies and controls. The Audit Committee then updates the full board on significant matters raised and discussed during these sessions. The Audit Committee participates in risk management training related to cybersecurity risk management specifically and the full board is trained annually regarding incident response and risk management. The Audit Committee delegates day-to-day management of cybersecurity risks to the Company's senior management, which includes our CISO, who reports to the CIO. Our CISO leads a team of dedicated professionals that are responsible for a wide range of risk assessment and management and leads at least ten specialized teams of internal and external experts focusing on distinct categories of threats. Our CISO has over 30 years of cybersecurity, information security and global IT experience, including security strategy, governance, incident response, operational technology cybersecurity, and NIST-aligned program development. He is a certified information systems security professional, and previously held the CISO position at multinational public companies. Our CIO leads the Company's global information technology strategy and execution, including cybersecurity, infrastructure, operations and process improvement, and reports to the Chief Executive Officer. With an engineering background, she has extensive experience managing digital transformation, operational excellence, and enterprise IT teams, including from her prior IT leadership positions at other large public companies. Our CIO and CISO are informed about cyber incidents through regular reports from their teams. They monitor the prevention, detection, mitigation and remediation of cyber incidents through reviewing and discussing effectiveness of the information security policies and standards with their teams, as well as participating in cybersecurity training and tabletop exercises, which simulate security incidents and response.

Company Information