Eaton Corp plc - (ETN)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy.
Eaton follows the U.S. National Institute of Standards and Technology (NIST) Cyber Security Framework to structure protocols for identifying, assessing and managing cybersecurity risks. In accordance with NIST guidance, Eaton maintains documented information security policies and standards to protect operations, assets, data and services and to defend against, respond to and recover from potential cyberattacks. These policies and standards include both preventive measures and reactive processes. Preventive measures include, but are not limited to, protective and detective cybersecurity systems, security monitoring, threat hunting and mandatory, enterprise-wide employee training. Eaton’s reactive processes are captured primarily by a cyber incident response plan (the IRP), which is comprised of an evolving set of procedures developed by cross-functional experts, and external consultants, who draw upon technical proficiency and learnings from past experiences. All of these procedures and practices are tailored to Eaton’s technology environment and are refined iteratively. Further, Eaton has an information risk management program that includes a vendor risk assessment process, whereby Eaton systematically oversees and identifies risks from cybersecurity threats related to its use of third-party service providers.
The IRP is executed by an Incident Response Team (IRT), led by our Chief Information Security Officer (CISO). The exact composition of the IRT varies depending on the severity and potential impact of an incident, and will typically include stakeholders across corporate and business functions. The team collaborates with internal experts and may engage external resources to assess and contain a threat if deemed necessary. Such external resources may potentially include forensic investigation and response firms, law firms, external auditors, forensic accountants, and consultants who are on retainer contracts for expedited availability.
While cybersecurity threats remain a risk to the Company’s business operations (see discussion in Item 1A. Risk Factors.), our robust risk mitigation strategies have been effective. Accordingly, no such threats have materially affected or are reasonably likely to materially affect the company, our business strategy, results of operations or our financial condition.
Governance.
While our Board of Directors as a whole has oversight of risk management generally, cybersecurity risks fall to the Board’s Audit Committee. The Company’s Chief Information Officer (CIO) and CISO report quarterly to the Audit Committee on any significant cybersecurity incidents, threats, mitigation strategies and controls at each Audit Committee meeting. The Audit Committee then updates the full board on significant matters raised and discussed during these sessions.
The Audit Committee delegates day-to-day management of cybersecurity risks to the Company’s senior management, which includes our CISO, who reports to the Company’s CIO. Our CIO reports directly to the Chief Executive Officer. Our CISO leads a robust team of dedicated professionals that are responsible for a wide range of risk assessment and management and leads at least ten specialized teams of internal and external experts focusing on distinct categories of threats.