STANLEY BLACK & DECKER, INC. - (SWK)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

The Company has implemented a comprehensive cybersecurity program to assess, identify and manage risks from cybersecurity threats that may result in adverse effects to the confidentiality, integrity, and availability of its information systems and oversee compliance with applicable regulatory, operational, and contractual requirements.

Cyber Incident Response Team and Governance

Board of Directors

The Board has delegated the primary responsibility for oversight of cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews compliance and disclosure control procedures for cybersecurity matters. Members of management responsible for cybersecurity and digital risk management for the Company, including the Vice President and Chief Information
22


Officer (the “CIO”), Chief Information Security Officer (the “CISO”) and the Senior Vice President, General Counsel and Secretary (the “General Counsel”), provide regular updates to the Audit Committee regarding data protection and cybersecurity risks and the Company’s new and existing cyber risk controls intended to mitigate them. The Audit Committee regularly briefs the full Board on these matters, and the full Board also receives briefings from management and third-party cybersecurity advisors on the Company’s cybersecurity program, as appropriate. The Company has protocols and procedures by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported promptly to the Audit Committee and the full Board.

Management

At the management level, oversight of risks from cybersecurity threats has been integrated into the Company’s overall risk management processes. The Senior Risk Council has broad oversight of the Company’s risk management processes, and is also responsible for the assessment and management of risks from cybersecurity threats. The Senior Risk Council is comprised of senior management personnel representing different functional and business areas, including the Chief Executive Officer; Chief Financial Officer; General Counsel; Treasurer; and CIO, as well as other senior business leaders. The Company believes the experience that Senior Risk Council members have from serving on the Senior Risk Council provides them with an understanding of the Company’s risk management process overall, and individual members are able to provide further insight to the risk analysis process based on their functional area of expertise within the business. The CIO also has extensive leadership experience in computer product engineering and information technology fields, including responsibility for overseeing cybersecurity risk management and digital risk management. The CIO also holds a bachelor’s degree in computer science. The Senior Risk Council meets regularly to discuss the risk management measures implemented by the Company, including measures to identify and mitigate data protection and cybersecurity risks. The Senior Risk Council receives regular updates on cybersecurity incidents from the CISO and CIO.

The Company’s CISO is the member of management principally responsible for overseeing the Company’s cybersecurity risk management program, in coordination with the CIO and other business leaders across the Company, including legal, product engineering management, internal audit, finance and risk management. The CISO has extensive cybersecurity knowledge and skills gained from over 20 years of technical and business experience in the cybersecurity and information security fields, including as a Chief Information Security Officer and through other leadership and technical roles in IT governance and strategy, security risk and compliance, corporate product security and data privacy, and IT infrastructure. She also holds a Master of Science degree in Information and Cybersecurity from the University of California, Berkeley. The CISO reports directly to the CIO who in turn reports directly to the Chief Executive Officer. The CISO receives reports on cybersecurity threats from members of the Cyber Security Office on an ongoing basis and, in conjunction with the Senior Risk Council, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. The CISO and CIO also work closely with the Company's legal department to oversee compliance with applicable legal, regulatory and contractual security requirements.

Internal Cybersecurity Team

The Company's Cyber Security Office, led by the CISO, is responsible for the implementation, monitoring, and maintenance of cybersecurity governance, operations and data protection practices across the Company. Reporting to the CISO are a number of experienced information security directors responsible for various parts of the Company’s business, each of whom is supported by a team of trained cybersecurity professionals. The team also holds a number of industry recognized certifications such as Certified Information Systems Security Professional, Certified Information Security Manager, Certified in Risk and Information Systems Control, and Certified Ethical Hacker, among others. In addition to its internal cybersecurity capabilities, the Company also regularly engages assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks.

Risk Management & Strategy
The Company has adopted information security policies that establish requirements and responsibilities with respect to the protection of the Company’s interests and information technology assets against loss, improper disclosure and unauthorized modification. The Company regularly educates and shares best practices with its employees to raise awareness of cybersecurity threats and the Company’s information security program, which the Company believes creates a culture of shared responsibility for the security of sensitive data and the Company’s network. All employees are regularly offered information security and protection training, including specialized training for employees exposed to sensitive information, which prompt them to certify their awareness of and compliance with applicable information technology policies and additional technology and cybersecurity standards. The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, encryption intrusion prevention and detection systems, anti-malware functionality, data monitoring, endpoint extended detection and response, architecture controls, access controls and ongoing vulnerability assessments.
23


The Company has adopted a Cybersecurity Incident Response Plan (the “IRP”) that applies in the event of a cybersecurity threat or incident, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. To facilitate the success of this program, multi-disciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the IRP. Through the ongoing communications among these teams, the CISO, in coordination with the legal department and the Senior Risk Council, monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and report such incidents to the Board and the Audit Committee when appropriate, as discussed above. In general, the IRP leverages the National Institute of Standards and Technology guidance. The IRP applies to all Company personnel who provide or deliver technology systems (including employees or contractors and service providers).
As part of the Company’s cybersecurity risk management strategy, the Company takes measures to test and improve its cybersecurity program, including reviewing and updating the information technology policies and IRP, such as engaging an independent third party to conduct regular assessments of its cyber security maturity against industry best practice frameworks and conducting tabletop exercises. The Company also engages in internal and external audits to meet its regulatory obligations or customer requirements. The assessment summaries and action plans are shared with the Audit Committee as part of the CISO’s regular briefings, and in turn the Audit Committee Chair regularly updates the Board on such briefings.
The Company has processes and procedures as part of its centralized supplier risk management system to oversee, identify, assess and reduce cybersecurity threats and risks associated with key third-party service providers. As part of this process, the Company utilizes external frameworks and tools to provide assessment scoring, planning and monitoring against cybersecurity threats and risks and remediation recommendations, as applicable. Updates on third-party service provider risks are included in regular briefings to the Senior Risk Council by the CISO and CIO and escalated to the Audit Committee as appropriate.
Cybersecurity Risks, Threats & Incidents
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition, and the Company does not believe that such risks are reasonably likely to have such an effect over the long term.
The Company deploys measures which leverage industry accepted frameworks to deter, prevent, detect, respond to, and mitigate these threats. The Company has invested and continues to invest in risk management and information security and data privacy measures in order to protect its systems and data, including employee and critical service provider training, organizational investments, incident response plans, tabletop exercises and technical defenses. Despite these efforts, cybersecurity incidents (against the Company or parties with whom the Company contracts), depending on their nature and scope, could potentially result in the misappropriation, disclosure, destruction, corruption or unavailability of critical data and confidential or proprietary information (the Company's or that of third parties) and the disruption of business operations. Refer to Item 1A. Risk Factors in Part I of this Annual Report on Form 10-K, which should be read in conjunction with the foregoing information, for additional information on cybersecurity risks the Company faces.