Crane Co - (CR)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Our cybersecurity program is staffed by a team of highly skilled cybersecurity professionals, including over 24 dedicated internal cybersecurity resources. Four members of the security team currently have Certified Information Systems Security Professional (CISSP) credentials, many hold one or more Global Information Assurance Certification (GIAC)/The Sans Institute (SANS) cybersecurity certificates, and in total the team has over 70 security and network certifications. Our response team members are in various global locations to ensure 24/7 monitoring and response capabilities and are backed by a 24/7 Managed Security Services Provider (MSSP) who monitors cybersecurity alerts. The program incorporates industry standard frameworks, policies and practices designed to protect the privacy and security of our sensitive information, backed by a suite of best-in-class security technologies and tools to implement and automate security protections for our networks, employees, and customers.

We utilize a risk-based, multi-layered information security approach following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) critical security controls. We have adopted and implemented an approach to identify and mitigate information security risks that we believe is commercially reasonable for manufacturing companies of our size and scope and commensurate with the risks we face. From the completion of the Company’s separation from Crane Holdings on April 3, 2023. Since the separation and during the past five years (as Crane Holdings), no attempted cyber-attack or other attempted intrusion on our information technology networks has resulted in a material adverse impact on our operations or financial results, in any penalties or settlements, or in the loss
16


or exfiltration of Company data. In the event an attack or other intrusion were to be successful, we have a response team of internal and external resources engaged and prepared to respond.

Crane has not experienced a material third-party security breach, but recognizes the inherent cyber risks associated with relying on third-party vendors such as cloud service providers, software vendors, data processors, and IT service providers with access to company information, systems, or processes. Crane is committed to managing these risks responsibly and transparently and has an active process in place to assess and reduce that risk, including performing due diligence on third-party vendors before onboarding and evaluating and assessing their cybersecurity policies, procedures, incident response plans, and relevant certifications (e.g., SOC 2, ISO 27001, etc.). We continuously monitor publicly available information about our third-party vendors for reports of security incidents and fully investigate any reports for impact to Crane systems or information and take appropriate measures to limit the impact to Crane in the event of a third-party security incident.

We educate and share best practices globally with our employees to raise awareness of cybersecurity threats. As part of our program, we maintain annual training for all employees on cybersecurity standards and provide monthly training on how to recognize and properly respond to phishing, social engineering schemes and other cyber threats. We use advanced systems to block and analyze all email for threats, as well as equip our employees with an intuitive mechanism to easily report suspicious emails which are analyzed by our security systems and dedicated incident response team. Monthly “test” phishing emails are sent to our associates. Any failures trigger a retraining exercise if not properly reported and a monthly training vignette on cybersecurity awareness. To round out our robust awareness program, we have specific and regular training for our IT professionals, and we periodically engage independent third parties to test our information security processes and systems as part of our overall enterprise risk management program.

Cybersecurity Governance
Our approach to cybersecurity begins with our desire to maintain strong governance and controls to effectively manage and reduce security risks. Security begins with our “tone at the top”, where Company leadership consistently communicates the requirements for vigilance and compliance throughout the organization, and then leads by example. The cybersecurity program is led by Crane’s Chief Information Security Officer, who provides periodic updates to the Audit Committee of our Board of Directors, annual updates to the full Board of Directors, and regular reports to the executive management team about the program, including information about cyber risk management governance and the status of ongoing efforts to strengthen cybersecurity effectiveness. The entire Board of Directors ultimately is responsible for overseeing management’s risk assessment and risk management processes designed to monitor and mitigate information security risks, including cyber risks. The Company maintains cyber risk and related insurance policies as a measure of added protection.

17