Sensata Technologies Holding plc - (ST)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Cyber criminals are becoming more sophisticated and effective every day. All companies utilizing technology are subject to threats or attempts of cybersecurity attacks. Maintaining data privacy and cybersecurity to protect our employees, customers, and business is an integral aspect of our operations. Our approach to data privacy and cybersecurity is defined by our commitment to preserving the trust our employees and customers place in us and focuses on driving continuous improvement as the threat landscape evolves.
Our Audit Committee and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security programs to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and infrastructure.
However, there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our risk factors identified in Item 1A: Risk Factors included elsewhere in this Report provide further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.
Risk Management Strategy
We are guided by our Cybersecurity Charter, which includes our philosophy of information security, identifies the motivation for security, describes information security principles and terms, and defines the scope of information security policies and responsibilities for various functions. We continue to improve the maturity of our cybersecurity program, aligning with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework.
Our Director of Cybersecurity leads our information security operations, with a focus on identifying, evaluating, mitigating, and reporting on IT and cybersecurity risks that have the potential to threaten Sensata’s enterprise information assets and systems. Our cybersecurity and global IT strategy is regularly aligned with business leaders across Sensata through our IT Excellence Committee meetings, conducted 10 times a year, to ensure cyber, IT, and business priorities are communicated and understood throughout the organization.
Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the NIST, the International Organization for Standardization, and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:
Incident Response: We have an Incident Response Plan ("IRP") to address cybersecurity incidents as defined by Item 106 of Regulation S-K. The IRP includes as a core component an Incident Response Team ("IRT") that utilizes guidelines identified in the IRP to identify, assess, and disclose cybersecurity incidents as applicable. The IRT consists of a core team, which includes representation from IT, Legal, and Human Resources, and an extended team, which includes representation from Enterprise Risk Management, Communications, Investor Relations, Internal Audit, Legal, Accounting, and External Reporting. The core team is involved in all incidents that are classified as significant, requiring a response from the IRT, and it involves components of the extended team as applicable. The IRT allows for broad representation of various areas of expertise for use in executing the IRP. The IRT meets monthly to evaluate the effectiveness of our cybersecurity risk management processes and procedures, including the IRP. The IRP is designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.
30

Table of Contents

Defense and Monitoring: We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cyber threats. Our Cybersecurity Operations Center provides comprehensive cyber threat detection and response capabilities and maintains a 24x7 monitoring system which complements the technology, process, and threat detection techniques we use to monitor, manage, and mitigate cybersecurity threats. From time to time, we engage third party consultants or other advisors to assist in assessing, identifying, and/or managing cybersecurity threats. We also periodically use our Internal Audit function to conduct additional reviews and assessments.
Insider Threats: We maintain an insider threat program designed to identify, assess, and address potential risks from within our Company. Our program evaluates potential risks consistent with industry practices, customer requirements, and applicable law, including privacy and other considerations.
Third Party Risk Assessments: We conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and our standard terms and conditions contain contractual provisions requiring certain security protections.
Training and Awareness: We have robust cybersecurity training programs with frequent touch points for all employees to empower them to act responsibly and keep cybersecurity top of mind. We use monthly activities to keep employees engaged with cybersecurity, including newsletters, articles on the Sensata intranet, and mock phishing campaigns. We regularly update our comprehensive training program, which covers a wide variety of topics, from protecting work machines and personal information to social innovation and how employees can protect their digital lives at home.
Supplier Engagement: We require our suppliers to comply with our standard information security terms and conditions, in addition to any requirements from our customers, as a condition of doing business with us, and require them to complete information security questionnaires to review and assess any potential cyber-related risks depending on the nature of the services being provided.
Risk Assessment: At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, our risk register, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management.
Technical Safeguards: We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence, and incident response experience.
Governance
Our Board of Directors, in coordination with each of our Board Committees, is responsible for oversight of our enterprise risk management activities. The Nominating and Governance committee receives an update on the Company’s risk management process at least annually, including interaction of cybersecurity with our overall risks. The Board of Directors oversees risks from cybersecurity threats through report out from the Audit Committee, which monitors cybersecurity incidents and management's response to such incidents.
Our Audit Committee directly oversees our cybersecurity program. Quarterly reports are delivered to the Audit Committee by the Chief Information & Digital Officer ("CIDO") and/or the Director of Cybersecurity at least four times per year. These reports include information about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. These reports also include updates on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents.
Our CIDO has served in various roles in IT and information security for over 20. She holds an undergraduate degree in information management and technology. Our Director of Cybersecurity has served in various roles in IT and information security for over 18 years, including in the military and the healthcare and retail industries.
31

Table of Contents

Cybersecurity Incidents
In the event of a cybersecurity incident, our response and mitigation efforts are guided by the IRP, which provides guidance on how to respond to, and recover from, a significant cyber incident requiring an organized response. We continue to conduct tabletop exercises testing the principles and procedures set forth in our IRP based on lessons learned.
While we have experienced cybersecurity incidents in the past, to date none have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information about cybersecurity risks relating to our business, refer to Item 1A: Risk Factors included elsewhere in this Report.