FEDERAL SIGNAL CORP /DE/ - (FSS)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
The Company does not believe that there are currently any known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition. However, the Company could face risks from cybersecurity threats in the future that could have a material adverse effect on its business strategy, results of operations, or financial condition. For more information on the Company’s cybersecurity-related risks, see Item 1A, Risk Factors of this Form 10-K.
Risk Management and Strategy
The Company’s processes for identifying, assessing, and managing material cybersecurity risks are incorporated into its overall Enterprise Risk Management process. The Company maintains a comprehensive cybersecurity risk management program, overseen by the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), to support the security, confidentiality, integrity and availability of its critical information technology (“IT”) systems and information.
The Company conducts internal risk assessments, with the assistance of independent third parties, against standards including the National Institute of Standards and Technology Cybersecurity Framework. The assessment results are used to develop responsive cybersecurity controls and risk mitigation strategies. The Company’s cybersecurity risk management program provides the structure for managing the respective risks through the use of a combination of automated tools, technologies and third-party monitoring, as well as ongoing employee education via cybersecurity training and security awareness communications.
The Company’s cybersecurity risk management program includes an incident response plan, which provides a documented framework to support the timely and effective resolution of actual or attempted cybersecurity incidents. Cybersecurity incidents across the Company, and relevant third-party service providers, are tracked and significant incidents, as applicable, are promptly escalated to a cross-functional cybersecurity task force so that decisions regarding public disclosure can be made in a timely manner by management and the Board of Directors.
The Company’s Internal Audit function performs audits to evaluate and report on compliance with cybersecurity policies and procedures, reviews internal control certifications from relevant third-party service providers, and tests IT system and network controls as part of its annual assessment of the effectiveness of the Company’s internal controls. Additionally, the Company engages third-party specialists to conduct periodic tests, incident simulations and assessments to verify and continuously enhance its cybersecurity risk management program.
Governance
The Board of Directors has overall responsibility for the oversight of risk management, and has delegated oversight of cybersecurity risk management to the Audit Committee. The Company’s CIO and CISO regularly report to the Audit Committee on cybersecurity risks, updates on key initiatives and progress toward the Company’s objectives. In addition, the CIO provides updates to the Board of Directors, at least annually, on the Company’s broader IT strategy and key initiatives.
The CIO and CISO have primary responsibility over the Company’s cybersecurity risk management program. Quarterly updates are provided to the Company’s IT Council, comprised of executive, business unit and IT leaders from across the organization, regarding IT initiatives and risk management processes.