TRIMBLE INC. - (TRMB)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
The Company takes a multifaceted approach to assessing, identifying, and managing material risks from cybersecurity threats. The cybersecurity risk management processes described below are integrated into the Company’s overall risk management system.
Each Trimble sector has identified a dedicated expert to assess vulnerabilities, calculate risks and determine where risk mitigation efforts are needed. These experts work with the Company’s Chief Information Security Officer (“CISO”) and alongside product engineering personnel, to review technical risk data that comes from our central risk tracking system, prioritize risk mitigation activities, and manage other risk management processes. We employ a variety of security protections in our digital systems, including access controls and logging, denial of service protection, and automated intrusion-prevention tools. We have an information security training program, including an annual program of general security awareness for all employees and developer training throughout the year. We maintain an information security risk insurance policy.
As part of our product development activities, we have implemented the Trimble Secure Development Life Cycle (“TSDLC”), which uses overlapping security activities and controls to build robust security into the cloud-based products and services we provide, some of which are also deployed across our own IT infrastructure. TSLDC includes vulnerability scanning, intrusion prevention, tracking of security metrics, and code analysis vulnerability tools. Over 100 of our products are certified to ISO/IEC 27001:2013, which addresses secure information, resilience to cyber-attacks, existence of a centrally managed framework, organization-wide protection, responses to evolving security threats, and protection of data.
Core information technology systems supporting our business operations are backed up and stored outside of our network infrastructure. Our cloud-based systems, including products we sell, utilize configurations for backup designed to prevent data from being destroyed as a result of a cyber event.
Trimble’s incident response process is based on widely accepted industry frameworks, such as the cybersecurity framework set forth by the National Institute of Standards and Technology (“NIST”). Our framework includes steps to: identify threat actors, contain the affected infrastructure, eradicate threat actor access, recover affected data or systems, and study lessons learned to help ensure any root causes are mitigated outside of the affected area.
Each year, our team of cybersecurity specialists builds a strategic vision of shared outcomes which provides the basis for how cybersecurity risks are factored into the Company’s risk management initiatives. Along with the rest of the Company, the cybersecurity team, led by the CISO, sets goals for cybersecurity risk management that are then periodically tracked and reported back to the cybersecurity team and to our CEO and Audit Committee.
We utilize a set of third parties for technical and non-technical evaluation of our security posture, including regular assessment of our products for vulnerabilities. We also perform an annual external “red team” assessment that provides an attack simulation for our security operations team to identify and triage. We perform a vendor security assessment process for purchases over a certain minimum threshold.
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, and the Company is not aware of a basis to believe that such risks are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition. For additional information, see Item 1A. Risk Factors—Our internal and customer-facing systems, and systems of third parties we rely upon, may be subject to cybersecurity breaches, disruptions, or delays.
The Board has overall responsibility for the oversight of risk management for the Company, and it exercises this oversight through Board committees and regular engagement with the Company's senior management. The Audit Committee is responsible for oversight of cybersecurity risk exposure and mitigation, and receives regular updates on cybersecurity risk management as well as timely notice of any material cybersecurity developments from the CISO through our escalation processes. The CISO presents quarterly or as needed at the Audit Committee meetings on the Company’s cybersecurity risk management activities.
We have a dedicated team that is led by the CISO, who has a technical degree in computer science from an accredited public university and has over 20 years of information technology and cybersecurity experience in multiple industries, including financial services and defense. The team comprises security engineers, detection specialists, and business cybersecurity experts. When the team identifies credible risks, we invoke our incident response process to track and manage the details,
25

Table of Contents
quickly manage exposures, assess potential customer impact, and facilitate consistent reporting to our CEO and to our Audit Committee.