OSHKOSH CORP - (OSK)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

The Company maintains a cybersecurity risk management program, led by a Chief Information Security Officer (CISO), that is responsible for the Company’s overall cybersecurity strategy, policy, architecture, and cyber threat detection and response. The CISO, who reports to the Company’s Chief Information Officer (CIO), has a Bachelor degree in Information Systems and MBA and is a Certified Information Systems Security Professional with over a decade of professional cybersecurity experience. The program aligned industry frameworks and controls from the National Institute of Standards and Technology. Leveraging these frameworks and controls allows the Company to identify the fundamental security capabilities and controls necessary to maintain and enhance the program. The Company utilizes a wide range of capabilities to maintain cybersecurity, including threat intelligence, multi-factor authentication, endpoint detection and response, and security automation.

As part of the cybersecurity risk management program, the Company has a set of Company-wide cybersecurity policies and procedures, including an Acceptable Use Policy as well as other policies covering subjects such as Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Media Protection, System and Communications Protection, and Incident Response. These policies and procedures go through an internal review process and are approved by appropriate members of management. The Company requires all personnel, including contingent workers and business partners handling information on the Company’s behalf to follow its cybersecurity policies and procedures. Regular training modules educate the Company’s team members on relevant cyber threats and trends and help prepare them for real-life phishing threats.

The Company implements processes to assess and manage risks associated with using third-party information system service providers. This risk assessment process assesses both the service provider's security posture as well as the security controls available from the third-party information system. The service provider’s security posture assessment includes reviewing any third-party party attestations as well as third-party controls in the following areas: assets, data flows, authentication, access, monitoring, response, and recovery. Depending on the type of system or data, additional controls may be assessed.

23


 

The Incident Response Plan includes processes for detecting, containing, and responding to incidents including processes for reporting incidents to management and the Board of Directors. The Company periodically performs simulations and tabletop exercises at a management level and incorporates external advisors as needed. The Company engages third-party services to conduct evaluations of its security controls, whether through penetration testing, independent audits or consulting on best practices to address cybersecurity risks.

Assessing, identifying and managing cybersecurity related risks are integrated into the Company's overall Organization Risk Management (ORM) program. Cybersecurity related risks are included in the risk universe that the ORM program evaluates to assess top risks to the enterprise on an annual basis. To the extent the ORM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion.

The Board of Directors is responsible for general oversight of the Company's risk management program, including cybersecurity risks. The Board of Directors receives an annual report from senior management through the ORM program and material risk assessments and mitigation strategies, including with respect to cybersecurity risks.

The Audit Committee of the Board of Directors oversees management's processes for identifying and mitigating risks, including cybersecurity risks, to help align the Company's risk exposure with its strategic objectives. The CIO provides periodic updates to the Audit Committee on the status of the Company’s cybersecurity risk management program; the Company’s information systems, cybersecurity, data privacy and other risks; and the steps management has taken to identify, monitor and mitigate such risks. The Audit Committee is also briefed on cyber crisis contingency planning and incident recovery capabilities and matters related to any material cybersecurity incident the company may experience.

The Company's business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but the Company cannot provide assurance that it will not be materially affected in the future by cybersecurity risks, threats or incidents. See Item 1A under the caption "Increased cybersecurity threats and more sophisticated computer crime pose a risk to our systems, networks, operations, products and services." for additional information on cybersecurity risks applicable to the Company.