Crane NXT, Co. - (CXT)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Cybersecurity Oversight
Our Board of Directors is responsible for ensuring that the Company has effective procedures for assessing and managing risks to the Company’s operations, financial position, and reputation. The Board has charged the Audit Committee with responsibility for monitoring the Company’s processes and procedures for risk assessment and risk management. Cybersecurity represents an important component of our overall approach to enterprise risk management. The Audit Committee receives regular reports, including twice annually from our Chief Information Security Officer (“CISO”), on a wide range of cybersecurity topics, including our cybersecurity program’s performance, emerging threats, capability enhancements, recent developments, evolving standards, technological trends and other relevant topics. The Audit Committee also receives an update at least quarterly on the Company’s cybersecurity metrics and key performance indicators. Executive leadership is continually apprised of developments pertaining to our cybersecurity program through electronic communications and senior leadership meetings.
Cybersecurity Roles and Capabilities
Our CISO, in coordination with members of our senior leadership team such as our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”) and General Counsel (“GC”), works collaboratively across the Company to operate a program designed to protect our business from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams are deployed to address cybersecurity threats. Through ongoing communications with these teams, our CISO and senior leadership team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time.
Our CISO is responsible to communicate potential and actual cybersecurity incidents to our senior leadership team in a prompt manner. We have established internal reporting processes so that the Board of Directors and the Audit Committee promptly will receive information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Such processes are evaluated on a regular basis. In the event of a cybersecurity incident, the materiality of the incident will be evaluated and determined with appropriate input from the CEO, CFO, GC, CISO and other key participants in our cybersecurity program, including outside advisors to the extent appropriate.
Our CISO, reporting to our CFO, leads our cybersecurity program. Our CISO has more than 20 years of cybersecurity experience and holds CISSP (2002) and CISM (2009) certifications. The cybersecurity team reporting to our CISO is staffed by highly skilled cybersecurity professionals, including both internal staff and external partners. Many team members have one or more industry recognized cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC), Certified Information Security Manager/Auditor (CISM/CISA). In addition, our CEO, CFO and GC each hold undergraduate and graduate degrees in their respective fields, and each have extensive experience managing risks at Crane NXT and at similar companies.
Our security operations team is responsible for detecting, mitigating, and responding to cybersecurity threats through a network of technologies, capabilities, and best practices on a 24/7 basis. This team consists of both internal employees located in several countries as well as a partner organization who supports our security operations team 24/7.
Cybersecurity Risk Management and Strategy
Our cybersecurity policies, standards, processes and practices are fully integrated into our enterprise risk management programs and are based on recognized frameworks and other applicable standards. Our cybersecurity program has comprehensive processes for assessing, identifying, and managing material risks from cybersecurity threats. Our cybersecurity program utilizes a risk-based, multi-layered information security approach following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) critical security controls. Our
16
program has adopted and implemented an approach to identify and mitigate cybersecurity risks that include commercially reasonable technologies for companies with similar risk profiles.
Our cybersecurity program is regularly assessed through activities such as penetration tests, internal audit assessments, an annual external PCI compliance audit in the CPI business, and ISO 27001 re-certification in the Currency business. The results of these assessments are reported to our Audit Committee, and we adjust our cybersecurity policies, standards, processes and practices to reduce cybersecurity risk based on the information provided by these exercises and assessments. Our cybersecurity team also conducts an annual incident response exercise that includes executive leaders to ensure alignment should we experience a cybersecurity incident.
We provide regular training and awareness for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
Cybersecurity Identified Risks
As of the date of the filing of this Current Report on Form 10-K, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, nor are they reasonably likely to affect, us, including our business strategy, results of operations, or financial conditions.
We could be adversely affected in the future by any information system or technology network failure or breach in data security, including any such failure or breach involving personally identifiable or other confidential information, any non-compliance with our contractual or other legal obligations regarding such information, or any violation of our privacy and security policies with respect to such information. See also Item 1A, Risk Factors, “Information systems and technology networks failures and breaches in data security, personally identifiable and other information, non-compliance with our contractual or other legal obligations regarding such information, or a violation of our privacy and security policies with respect to such information, could adversely affect us.”
17