REGAL REXNORD CORP - (RRX)

10-K Filing Date: February 26, 2024
ITEM 1C - CYBERSECURITY
Our executive leadership team is responsible for the global risk management framework and influences the culture of risk management within the Company. Additionally, our Board is responsible for oversight of the executive leadership team’s approach to risk management and cybersecurity strategy. The Board recognizes the importance of maintaining security and the trust of our customers, clients, business partners and associates. The Company has developed a cybersecurity program founded on a strong management approach, policy driven governance, standards and procedures, and execution of a comprehensive strategy that adapts to changing risks. The Company’s cybersecurity policies and standards are fully integrated into our overall risk management process and were created based upon the National Institute of Standards and Technology cybersecurity framework and other applicable industry standards. The Company endeavors to manage cybersecurity risks through a comprehensive and multidisciplinary approach that emphasizes confidentiality, security, and availability of our information by deploying processes to support identification of cybersecurity threats and using tools for prevention and mitigation of cybersecurity incidents. To the extent that cybersecurity incidents may occur, the Company has established cross functional procedures that enable a prompt and effective response to cybersecurity incidents.

Risk Management and Strategy
Our global risk management policy provides a uniform approach for monitoring, identifying, measuring and responding to enterprise-wide risk to minimize potential disruptions to business operations and harm to reputation. Our global risk management policies framework encompasses, enterprise risk management, business continuity and cybersecurity. Cybersecurity risk is a key component of our overall global risk management policy. The Company’s cybersecurity program is focused on the following areas:

Governance: In furtherance of the Board’s risk management oversight goals, the Company convenes a Risk Committee comprised of key functional and business leaders. Among other members, the Risk Committee includes our Chief Information Security Officer (“CISO”), our Director of Global Risk and Property Management, our Vice President, Internal Audit, and our Vice President, Environmental, Health and Safety. This diverse group supports a strong focus on cybersecurity, business continuity, and associated enterprise risks. The Risk Committee's members are charged with, among other things, identifying and assessing significant and emerging risks, as well as working with executive leadership teams to develop and execute plans, responses and mitigation strategies to address significant cybersecurity risks, that could otherwise negatively impact our ability to achieve our objectives. The Risk Committee’s cybersecurity management function addresses the Company’s information security challenges and risks from various IT-related sources.

Collaborative Approach: The Company has developed and implemented a robust approach to identify, prevent and mitigate cybersecurity threats and incidents. This is supported by clear and direct cross-functional escalation paths to ensure proper handling and analysis so that decisions regarding response, materiality and any resulting disclosure and reporting of such incidents are clearly allocated and can be made in a timely manner.
Technical Safeguards: The Company employs industry accepted security tools, techniques, and system monitoring to protect the confidentiality of our systems and data. Maintaining the privacy and security of our associate, customer, and supplier data is paramount. The company deploys technical safeguards which include, but are not limited to, encryption, multi-factor authentication, network segmentation, privilege access management and, endpoint detection and response. These safeguards are evaluated on a routine basis with the intention of identifying and remediating potential vulnerabilities and enhancing the overall security framework.
Incident Response and Recovery Planning: The Company has established and maintains a comprehensive cyber incident response policy. This policy provides direction and guidance to address and manage security incidents, including identification, classification, and response.
Third-Party Risk Management: The Company maintains a risk-based approach to third party engagement and the cybersecurity risks associated therewith. This approach adheres to Company-policy, which includes regularly evaluating and identifying material risks from cybersecurity threats associated with third parties’ access to our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: The Company provides annual mandatory global information security training and certification for personnel regarding cybersecurity threats. This training is offered in 20 languages to maximize associate accessibility and comprehension. Additionally, the Company administers monthly targeted trainings and phishing simulations for our associates. These activities are designed to develop a mature and vigilant, risk-aware culture among our associates.
The Company completes periodic assessments and testing of its practices addressing cybersecurity threats and incidents. These efforts include, but are not limited to, audits, assessments, tabletop exercises, and vulnerability testing and are focused on
30


evaluation of cybersecurity policy efficacy. These assessments and testing efforts are supported by third-party consultants who specialize in cyber-risk mitigation. The results of these third-party engagements are used to inform enhancements and adjustments to our cybersecurity policies and practices.
Governance
Our full Board is responsible for the oversight of the Company's operational and strategic risk management processes. Our Board believes that oversight of risk management belongs at the full Board level rather than with any single committee, primarily because of the importance of understanding and mitigating risk to the overall success of our Company. As part of its risk management responsibilities, our full Board provides oversight of the Company’s management and mitigation of cybersecurity risks.
To gather information about risks to the organization, including cybersecurity, the Risk Committee identifies primary areas that generate enterprise risk and then distributes a survey to a group of our top leaders. The Risk Committee periodically summarizes its activities and findings (including the results of its survey and heat map analysis) related to cybersecurity and other risks directly to our CEO, as well as the Audit Committee and our full Board. The Risk Committee’s work is also used by our management team as part of our disclosure controls and procedures to ensure that information regarding material risks applicable to the Company are appropriately disclosed in our public filings.
While our Board maintains responsibility for oversight of all areas of risk management, it relies on our Audit Committee to address significant financial risk exposure we may face and the steps management has taken to monitor, control and report such exposures. These risks are further reported to the full Board, as appropriate.
The Risk Committee receives prompt information regarding any cybersecurity incident in accordance with our cyber incident response policy and crisis communication procedures. The Risk Committee, in concert with the executive leadership team, evaluate this information and escalates notice to the Board, as appropriate.
The CISO works collaboratively with the Risk Committee. The CISO has implemented and monitors a program designed to protect the Company’s information systems and to promptly respond to any cybersecurity incidents in accordance with the documented incident response plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams are engaged to identify, classify, and address cybersecurity threats and incidents. Through prompt notifications and ongoing communications, the CISO and other key management personnel work to monitor, prevent, detect, mitigate and remediate cybersecurity threats and incidents.
The Company’s cybersecurity programs are supported by experienced and knowledgeable leaders. The CISO has served in various roles related to information technology and information security for over 20 years. The CISO maintains relevant certifications, including Certified Information Systems Security Manager (“CISM”) and Certified Information Systems Auditor (“CISA”). Additionally, several cybersecurity team members reporting directly to the CISO maintain certifications, including CISM, CISA and Certified Information System Security Professionals (“CISSP”). The Company’s Chief Digital & Information Officer has over 30 years of experience with information technology and digital strategy. The Company’s CEO, CFO and General Counsel each have over 20 years of experience managing risk at the Company or at similar companies, including risks arising from cybersecurity threats.

Cybersecurity threats, including those resulting from previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition.


31