ROPER TECHNOLOGIES INC - (ROP)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Roper’s Cybersecurity Program
Roper maintains a global Cybersecurity Program that outlines required cybersecurity controls for all Roper businesses. Given the decentralized nature of Roper’s operating model, day-to-day management and implementation of the Cybersecurity Program and deployment of the program’s cybersecurity controls are managed locally by each of Roper’s 27 business units. In addition, because Roper’s businesses generally operate independently and maintain separate infrastructure and systems, the risk of an enterprise-wide cybersecurity incident is somewhat reduced. While cybersecurity technologies and implementation may differ based on the needs and risk profile of each individual business, Roper has also implemented cyber tools and managed services to centrally monitor certain aspects of the Cybersecurity Program.
The Cybersecurity Program is supervised by Roper’s Vice President of Cybersecurity, who has related experience including cybersecurity, IT, Cloud, and Security Compliance. The Vice President of Cybersecurity has obtained a B.S. in Management Information Systems, a Master’s in Business Administration, and a Master’s in Management Information Systems. She also maintains the following industry cybersecurity certifications: CISA, CISSP, GSEC, GCED, GSA, and a Boardroom Certified Qualified Technology Expert (QTE).
Roper deploys cybersecurity practices and tools across all of its businesses to protect data, maintain resilient operations, and limit the impact of cybercrime. We deploy a Managed Detection and Response (“MDR”) solution across all of our business units and our Corporate infrastructure designed to address the detection, response, and remediation effectiveness of cybersecurity threats. This solution is intended to provide real-time visibility of the endpoint footprint across the enterprise, including patch management and vulnerabilities, device encryption, and cybersecurity threats and detections.
The Cybersecurity Program includes controls designed to identify and perform diligence on third parties as they are leveraged by Roper’s businesses in their respective software code development processes or for other purposes that require third-party access to critical infrastructure. The controls include, as appropriate, regularly assessing management of access controls and the cybersecurity risks posed by third parties.
Roper performs cybersecurity risk assessments to assess compliance with mandated cybersecurity controls and to assess the likelihood and impact of specific cyberattacks. Cybersecurity risk assessments are periodically performed to assess the internal compliance with cybersecurity strategy and implementation of cybersecurity controls. Areas identified for enhancement and improvement are monitored and tracked to remediation by the Roper Cyber team, including the Vice President of Cybersecurity.
We maintain a centralized incident response process with a forensic partner on retainer. In addition, we have cybersecurity insurance policies in place. Roper maintains a Cybersecurity Incident Response Plan (“CSIRP”), which requires each Roper business to designate a Cybersecurity Incident Response Team (“CSIRT”) that is responsible for receiving, reviewing, and responding to cybersecurity incident reports and activities. Cybersecurity incidents are required to be promptly reported to Roper, and such incidents and their resolution are then closely monitored by Roper’s cybersecurity team. We work on security awareness with our employees throughout the year with cybersecurity training and simulated phishing campaigns to better identify and report unusual behavior and to mitigate the likelihood and impact of possible incidents.
Cybersecurity Governance
Our Board of Directors (the “Board”) has not delegated responsibility for cybersecurity matters to a committee. Rather, the Board believes that due to the importance and continually evolving nature of cybersecurity threats, all members of the Board should participate in the oversight of these topics. As a result, management briefs the Board on cybersecurity matters during regularly scheduled Board meetings. Roper’s Vice President of Audit Services also periodically briefs the Audit Committee on cybersecurity matters and related risks, as needed.
Roper has also established a Cyber Disclosure Committee chaired by the Vice President of Cybersecurity to track and evaluate cybersecurity incidents and to assess their potential impact on the organization. This process builds upon the CSIRP and provides a framework for Roper management to monitor potentially material cyber incidents. The Cyber Disclosure Committee reports its activities and findings, as appropriate, to the Chief Executive Officer, Chief Financial Officer, Principal Accounting Officer, and General Counsel, and, if appropriate, to the Board of Directors.
To date, management has not identified risks from cybersecurity incidents, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Roper, including its business strategy,
16
results of operations, or financial condition. See “Item 1A. Risk Factors, We rely on information and technology, including third-party cloud computing platforms, for many of our business operations which could fail and cause disruption to our business operations.” above for more information. While we work to maintain our Cybersecurity Program, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks, and data or those of our third-party providers.