WATTS WATER TECHNOLOGIES INC - (WTS)

10-K Filing Date: February 21, 2024
Item 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.

We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements. We use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

Our cybersecurity risk management program includes the following:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;

a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;

the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls;

risk review of certain third-party service providers, including software vendors, third-party cloud services, and third-party hosting services, with ongoing risk monitoring for critical vendors through an external cybersecurity intelligence service;

cybersecurity awareness training of our employees, incident response personnel, and senior management; and

a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.

There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information.

Ongoing Risks

We have not experienced any material cybersecurity incidents. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For a full discussion of cybersecurity risks, please see our Risk Factors in Item 1A.

Management Oversight of Cybersecurity

Our Chief Information Officer (“CIO”) and the Vice President (“VP”) of Information Security have primary responsibility for our overall cybersecurity risk management program and supervise both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CIO’s and VP of Information Security’s collectively have over 25 years of experience in leading information technology and security functions across strategy, architecture, engineering, and operations.

27

The CIO and VP of Information Security supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include but are not limited to risk assessments, including with the support of external advisors, briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Our Cybersecurity Council, comprised of cross-functional senior leaders from operations, finance, internal audit, product management, and information technology teams, also reviews and assesses security risks and issues from a business and technology perspective across all organizations within Watts on a quarterly basis, with the guidance and input of the CIO and VP of Information Security. Our executive management team is primarily responsible for assessing and managing our material or reasonably likely to be material risks from cybersecurity threats with the advice and input of the CIO and VP of Information Security, including based on the above and from external advisors as necessary.

Board Oversight of Cybersecurity

Our Board considers cybersecurity risks as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks.

The Audit Committee oversees management’s implementation of our cybersecurity risk management program and receives updates on the cybersecurity risk management program from the CIO and the VP of Information Security at least twice yearly. In addition, management updates the Audit Committee regarding any material or significant cybersecurity incidents, as well as incidents with lesser impact potential as necessary.

The Audit Committee reports to the full Board annually regarding cybersecurity. The full Board also receives annual briefings from the CIO and the VP of Information Security on cybersecurity, or from external experts on cybersecurity as part of the Board’s continuing education on topics that impact public companies.