SPX Technologies, Inc. - (SPXC)

10-K Filing Date: February 22, 2024
ITEM 1C. Cybersecurity
All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. We understand the importance of securing our data and information technology systems and networks, as well as the data customers and other stakeholders entrust to us. We have established policies, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats which are integrated into our overall risk management program and based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and other applicable industry standards. Despite this, there can be no guarantee that our policies and procedures will be effective. Refer to “Risk Factors” for additional detail about the material cybersecurity risks we face. Our cybersecurity program includes the following:
Collaboration, Education, Incident Response and Recovery Planning

Our key security, risk, and compliance personnel meet regularly and, together with our cybersecurity consultants, develop strategies for preserving the confidentiality, integrity and availability of data and our information technology systems and networks. We have established incident response and recovery plans to address potential cybersecurity incidents which are regularly evaluated for their effectiveness. Management maintains controls and procedures and periodically conducts tabletop exercises that are designed to ensure prompt escalation of material cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board of Directors (our “Board”) in a timely manner. In addition, we regularly educate employees on the importance of maintaining the security of our information technology systems and networks and over handling and protecting customer and employee data, including through regular phishing awareness campaigns, security awareness communications, and recurring privacy and security training.
Risk Assessment and Technical Safeguards

On an ongoing basis, we assess cybersecurity risk, including the review of our policies, standards, processes and practices. These assessments include a variety of activities including third party security penetration testing and independent reviews of our information security control environment and operating effectiveness. The results of these assessment activities are presented to our Board, Audit Committee, and members of management. We regularly assess and deploy technical safeguards based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. In addition, our third-party technology service providers are contractually obligated to maintain cybersecurity controls and complete our security questionnaires at the time of onboarding. On a recurring basis, our third-party service providers are required to update their responses to our security questionnaires and, where available, additional information such as System and Organization Controls (“SOC”) SOC 1 or SOC 2 reports are provided.
Board and Management Oversight

Our chief information officer (“CIO”) and chief information security officer (“CISO”) have primary responsibility for assessing and managing material cybersecurity risks. Quarterly cybersecurity updates are provided to executive leadership to review security key performance indicators, identify security risks, and assess the status of approved security enhancements, and risk mitigation strategies. Our CIO has served in various roles in information technology and information security for over 30 years, including serving as the CIO of three other companies. Our CIO holds an undergraduate degree in computer science. Our CISO holds 11 industry security, risk, and/or privacy certifications and has served in various roles in information technology and information security for 25 years, including serving as the Director, Global Security, Privacy & Data Governance for one of the world's largest privately held transport corporations. Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. The Audit Committee receives regular cybersecurity risk reports from management and, at least annually, our Board receives reports from management, including our CIO and CISO about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities.


19