TIMKEN CO - (TKR)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Governance
Information security is an integral part of the Company’s overall enterprise risk management program. The Company's information security program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of third-party service providers. This framework includes steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity testing, detection, response, prevention and mitigation strategies and informing management and the Company's Board of Directors of material cybersecurity threats and incidents. The Company's information security team also engages third-party security consultants for penetration testing, training and system enhancements.
The Board of Directors has overall oversight responsibility for the Company's risk management function, and primarily relies on the Audit Committee to administer this oversight. With respect to cybersecurity, the Board and Audit Committee are responsible for confirming that the Company's management maintains appropriate cybersecurity policies and has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed, to manage cybersecurity risks and to mitigate any cybersecurity incidents. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes for monitoring and mitigating potential cybersecurity risks, exposures, implementing appropriate mitigation measures and maintaining our cybersecurity program. The Company's cybersecurity program is under the direction of our Vice President, Technology who receives reports from its cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents. The Company's dedicated personnel are certified and experienced information systems security professionals and information security managers with many years of experience. Management reports to either the Board of Directors or the Audit Committee at least annually on, among other topics, updates to the Company’s cybersecurity program and mitigation strategies, developments in cybersecurity practices generally, and third-party assessments of the Company’s cybersecurity program. Management also provides general program updates and industry trends to the Board and Audit Committee on a more ad hoc basis.
In 2023, the Company did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, despite our efforts, the Company cannot eliminate all risks from cybersecurity threats, or provide assurances that it has not experienced an undetected cybersecurity incident. For more information about these risks, please refer to Item 1A. Risk Factors – Risks Related to Data Privacy and Information Security in this Annual Report on Form 10-K.