Vertiv Holdings Co - (VRT)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Overview
The Company, its management and its Board understand the critical importance of cybersecurity in maintaining the trust, confidence and support of customers, employees, and other stakeholders. The Company, as a supplier of products of critical digital infrastructure technologies to our customers, is reliant on technology and information systems that may comprise part of the products we sell or the services that we provide. As a worldwide business, we have also become increasingly dependent on digital technologies, including information systems, infrastructure and cloud applications and services, to operate our businesses, process and record financial and operating data (including processing customer orders, shipping products, billing our customers, and tracking inventory), communicate with our employees and business partners, and perform other activities related to our businesses. Our evolution into smart products, Internet of Things, business-to-consumer, and e-commerce subjects us to increased cyber and technology risks. The secure operation of our information technology systems and networks and ensuring that we have skilled personnel to assist in ensuring their continued security is critical to our business operations and strategy.
Our cybersecurity program aims to provide a robust, dynamic and secure environment that protects the confidentiality, integrity, and availability of this data. Our cybersecurity program has a fully defined set of documentation that is aimed at identifying, assessing and responding to cybersecurity risks. Our implementation of various internal and external controls and processes, including appropriate internal risk assessment and internal policy implementation, incorporating a risk-based cyber security framework to monitor and mitigate security threats and other strategies to increase security for our information, facilities and infrastructure, is discussed below. In addition, we provide disclosure and discussion with respect to the following facets relating to the Company’s cybersecurity program (a) our risk management processes and overall strategy for addressing cybersecurity threats and incidents within the context of our information systems (each as defined in Item 106 of Regulation S-K); (b) the potential impact of cybersecurity threats on our business strategy, results of operations, and financial condition; and (c) the respective roles of the Board in overseeing, and the Company’s management in assessing and managing, cybersecurity threats and cybersecurity incidents.
Risk Management and Strategy
Processes for Assessing, Identifying, and Managing Cybersecurity Threats: The Company maintains a fully defined set of documentation for assessing, identifying, and managing material risks from cybersecurity threats. We recognize the risk that cybersecurity threats pose to our operations, and cybersecurity is an integral component of our overall enterprise risk management (ERM) strategy. Our cybersecurity framework is aligned with the National Institute of Standards and Technology’s special publication 800-53 and is comprised of the following four main pillars:
Risk Governance: The Company’s cybersecurity program utilizes a cross-functional approach to addressing cybersecurity risks and engages in discussions with the Board (or a committee thereof) and our executive officers accordingly on an as-needed basis. The Company’s cybersecurity processes are implemented to help ensure that the Company’s cybersecurity practices are aligned with the Company’s overall ERM standards and practices. The Company has formed a Cyber Risk Oversight Committee (CROC) to oversee the Company’s cybersecurity program. Our CROC, in turn, communicates any unresolved risks to the Company’s Enterprise Risk Committee (ERC) and the ERC interacts with the Board, the Audit Committee and executive management on a regular interval, or more frequently (if necessary) in regard to such risks. Currently, the CROC is comprised of representatives of our IT department as well as senior leadership, including all direct reports to our CEO. The ERC is comprised of our Chief Legal Counsel, Senior Director of Global Risk Oversight and various heads of regional or global business units and corporate functions, including but not limited to, IT, finance, accounting, legal, and human resources.
Risk Identification: We have developed risk identification and vulnerability management procedures that address the identification, prioritization, and remediation of cybersecurity vulnerabilities. To facilitate this program, the Company has created a risk register to assess and monitor potential risks. As discussed below, the Company uses certain third-party tools to identify and manage cybersecurity vulnerabilities. Each risk in the risk register is monitored by one of our cybersecurity members and updates are reported to the CROC as needed.
Risk Assessment: The Company generally evaluates risks, including cybersecurity risks, based on probability, impact and proximity. As part of its program, the Company conducts formal cybersecurity risk assessment exercises at least bi-annually. The Company has documented processes and protocols in order to delineate unacceptable levels of risk and assess such risks based on a number of factors.
Risk Response: We have developed various playbooks that comprise a comprehensive written incident response plan (collectively, our IRP). This IRP describes the procedures for handling a variety of cybersecurity incidents; categorizes the types of potential cybersecurity incidents and the timeframe for reporting each; establishes cybersecurity incident
33
response levels; provides for the conducting of legally privileged investigations to enable us to meet applicable legal obligations, including possible notification requirements; and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident, including but not limited to, the process to escalate risks to our Board, Audit Committee and our executive management, as necessary. Incidents with respect to third parties are managed internally using the same basic processes as managing internal cybersecurity incidents.
Third-Party Risk Management: The Company’s comprehensive approach to cybersecurity and its associated risk management framework requires, when applicable, the engagement of certain third parties, which could include law enforcement, vendors, and other software or service providers. The Company leverages substantial technological tools and partners to augment and enable the efforts of its internal cybersecurity team. These third parties assist with various cybersecurity functions including monitoring, threat detection, vulnerability management, network segmentation, mobile device management, data protection, tabletop exercises, semi-annual penetration testing, multi-factor authentication, and threat intelligence.
Education and Awareness: In consultation with our cybersecurity team, we mandate annual cybersecurity awareness training for Company personnel, and regularly conduct simulated phishing attacks as a means to equip them with effective tools to detect and address cybersecurity threats as well as to communicate our evolving cybersecurity policies, standards, processes, and practices in the context of its information systems.
Impact of Cybersecurity Threats: To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition.
Governance
Board Oversight of Risks from Cybersecurity Threats: The Board is ultimately responsible for the oversight of risks from cybersecurity threats and collaborates with the Audit Committee of the Board and the ERC in these oversight responsibilities. The responsibilities of the ERC include participating and collaboration with the CROC to oversee policies and management systems for cybersecurity matters, overseeing the identification, assessment and response to cybersecurity risks, maintaining and implementing our IRP, and communicating on a regular interval, or more frequently (if necessary) with the Board, the Audit Committee and executive management in regard to such risks. The Company's processes call for prompt and timely notifications and updates to the Board and the Audit Committee, as applicable and as necessary depending on the nature and severity of the incident, in connection with any cybersecurity incidents that may occur. In addition, the Board, the Audit Committee, and the ERC receive regular presentations and reports on cybersecurity matters that address the full range of cybersecurity topics discussed herein. Further, on a periodic basis, the Board and/or Audit Committee and the ERC also discuss our cybersecurity programs and processes with our Chief Information Officer (CIO) and Chief Information Security Officer (CISO).
Management’s Role in Assessing and Managing Cybersecurity Threats: Management’s role in assessing and managing our material risks from cybersecurity threats is documented in the Company’s IT and Cybersecurity Risk Management Strategy Plan (our Cybersecurity Plan), and our processes for identifying, assessing, prioritizing, and remediating vulnerabilities are documented via our Cybersecurity Plan (and the documents referenced therein) and our IRP. Our management cybersecurity team consists of all of the direct reports to our CEO, including our CIO, as well as dedicated cybersecurity personnel – including without limitation, our CISO, multiple cybersecurity engineers and other business level stakeholders. Although there is overlap between the CROC and our management cybersecurity team, the CROC is intended to function as a proactive group to assess and treat risks prior to an incident occurring and the cybersecurity management team is tasked with responding to threats or incidents. In connection with and pursuant to our enterprise risk management plan, our cybersecurity team, the CROC and our ERC work collaboratively across the Company to implement programs and processes designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to promptly respond to cybersecurity incidents.
Upon the discovery of a potential or actual cybersecurity incident, the detecting party is obligated to inform the CISO, or deputy CISO if the CISO is unavailable, as an initial step. We also employ the services of an outside vendor that is tasked with contacting the CISO, or the CISO’s delegee, upon learning of an incident. Subsequently, our CISO will guide the initial analysis of the cybersecurity incident, and depending on the nature of the incident, these cybersecurity incidents may be escalated to our CIO and above according to the guidelines set forth in the IRP. Analysis of the potential impact of the cybersecurity incident is one of the primary objectives of our initial response. Once the severity level and appropriate management protocol for responding to the cybersecurity incident have been determined in accordance with our Cybersecurity Plan and IRP, the CIO, or the CIO's delegee, may elevate the incident to the CEO, Chief Legal Counsel, Board, and Audit Committee as needed (depending on the nature and severity of the incident) for further investigation and response, including for an assessment of materiality. Depending on the nature of the incident, the CIO or Chief Legal
34
Counsel will coordinate a notification and communications plan and event analysis across the appropriate teams, which may involve updates to our cybersecurity management team, the Board, the Audit Committee, the ERC and the CROC.
Relevant Expertise of Management: Our CISO has more than 20 years of intelligence, information technology and cybersecurity experience, and holds a Masters degree in the area of Cybersecurity and Information Sciences from The Pennsylvania State University. His prior roles include senior level positions in Defense, Financial Services and High Technology industries. Our CIO has more than 30 years of information technology and cybersecurity experience at various levels. She holds an executive MBA from the Quantic School of Business and Technology, a Graduate Certificate in SAP from Central Michigan University, a Masters in computer information systems from Grand Valley State University and a BA from the University of Michigan. Her prior roles include positions as Chief Information Officer and Vice President of Information Technology and Digital Office of Adient plc, a global automotive seating manufacturer, and Chief Information Officer and Vice President of Information Technology, Power Solutions of Johnson Controls.