IDEX CORP /DE/ - (IEX)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy.
The Company’s cybersecurity program is designed to be aligned to the Cybersecurity Framework published by the National Institute of Standards and Technology (“NIST CSF”). While we use the NIST CSF as a guide, this does not imply that we meet any particular standards, specifications or requirements. We conduct regular internal and external assessments of our information security and cybersecurity programs, including periodic external audits for company-wide compliance with our program as well as specific business unit alignment, as required, with U.S. federal acquisition regulations and UK Cyber Essentials certifications. An external penetration test is performed annually against the Company’s network, in addition to our regular internal vulnerability scans.
The Company’s internal Incident Response Policy sets forth specific protocols for cyber or data incident identification, detection, response and recovery. This process includes the assembly of a response team consisting of internal and external technical and legal experts immediately upon the event of a cyberattack or incident. The Company reviews and updates this process regularly, including by engaging in tabletop exercises to simulate cybersecurity and data breach incidents. The Company maintains global cybersecurity insurance coverage that is reviewed annually for adequacy against operations and information systems.
The Company has implemented a number of measures to mitigate cybersecurity risk in its operations, including annual cybersecurity awareness training for employees, regular internal phishing exercises, technical security controls, maintenance of certain backup and protective systems, physical and system securities measures, and data security protocols. Once fully integrated, all of our businesses have access to a “cyber risk dashboard” that monitors various risk indicators. The cyber risk dashboard is monitored by our business units. The Company’s internal auditors periodically review and audit various processes and controls throughout the organization related to cybersecurity readiness.
The Company also has certain processes in place to manage cyber risks associated with third-party service providers which include various technical as well as contractual measures.
For more information on cybersecurity risks and how they affect our business, operating results and financial condition, please refer to Item 1A., “Risk Factors – The Company’s Business Operations May Be Materially Adversely Affected by Information Systems Interruptions or Intrusion, Including those Arising From Cybersecurity Attacks or Incidents or Violations of Laws Regulating Privacy and Data Security.” Based on our analysis at this time, we have not identified any risks from a cybersecurity threat or incident that we believe has or is reasonably likely to materially affect the Company.
Governance, Oversight and Leadership.
The Board and the Audit Committee oversee management’s efforts to address cybersecurity and information security risks. Senior management provides the Board updates on the Company’s cybersecurity program at least once a year, including as part of the Company’s enterprise risk management assessment, and the Audit Committee reviews the cybersecurity program at least twice a year and on an as-needed basis. Such reviews, among other things, include the results of internal and/or external assessments, a review of cybersecurity governance at the management level, and a review of the Company’s cybersecurity program and progress toward various initiatives.
The Company also maintains an Executive Cybersecurity Steering Committee (the “Cybersecurity Committee”), made up of key members of senior leadership, to oversee and monitor progress of various cybersecurity initiatives throughout the organization. The Cybersecurity Committee meets quarterly. In addition, the Company asks each business unit to designate an employee as the local Information Security Officer responsible for monitoring the business unit’s cyber risk dashboard and coordinating with local leadership to respond to identified risks accordingly. Each local Information Security Officer completes an annual certification process and receives regular updates with respect to the Company’s cybersecurity program.
The Chief Information Officer (“CIO”), who reports to the Chief Financial Officer, along with members of the corporate and business unit information technology teams, are generally responsible for developing and managing the Company’s cybersecurity programs. Our CIO has over 20 years of experience in various information technology and information security roles, and our information security team is comprised of employees with broad knowledge of cybersecurity issues gained through experience and through training and certifications. These individuals, along with other internal and external personnel as needed, monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and applicable personnel are informed of known cybersecurity incidents to form the appropriate incident response team and respond accordingly.
21