Knowles Corp - (KN)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

As part of our overall risk management program, we have implemented processes to assess, identify, and manage the material risks facing the Company, including from cybersecurity threats. We designed and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Cybersecurity Framework (the "NIST Cybersecurity Framework"). This does not imply compliance with specific technical standards, specifications or requirements of the NIST Cybersecurity Framework, but signifies its use as a guiding principle.

Our commitment extends to various programs and processes to stay informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. This includes regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. We also conduct "tabletop" exercises to simulate cybersecurity incidents to enhance our readiness and resilience in the face of potential cybersecurity threats. These exercises are conducted at both the technical level and senior management level. We have engaged external service providers, where appropriate, including leading cybersecurity firms, to assess, test or otherwise assist with aspects of our security processes.

We have a well-defined cybersecurity incident response plan aimed at facilitating an effective response and handling of cybersecurity incidents. The incident response plan outlines roles and responsibilities, criteria for measuring the severity of a cybersecurity incident, and provides for Audit Committee and Board briefings as appropriate. We have also implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

Our employees participate in a security awareness program, receiving training on identifying potential cybersecurity risks and safeguarding our resources and information. This training is reinforced by testing initiatives, including periodic phishing tests. We also assess the cybersecurity risks presented by third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In addition, we maintain business continuity and disaster recovery plans, as well as cybersecurity insurance.
19


To date, we have not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. That said, while we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks, and data or those of our third party providers. See "Item 1A. Risk Factors – Our business and operations could suffer in the event of security breaches, cybersecurity incident, other unauthorized disclosures, or network disruptions."

Governance

The Audit Committee of the Board of Directors considers cybersecurity risk and other information technology risk as part of its risk oversight function. Our head of Internal Audit reports directly to the Audit Committee and is responsible reviewing with the Committee our company-wide enterprise risk assessment, which includes an evaluation of cybersecurity risks and threats. In addition, the Audit Committee separately receives regular reports from our Vice President of Information Technology on, among other things, our cybersecurity risks and threats, the status of projects to strengthen our information security systems, and assessments of our security program. The Chair of the Audit Committee regularly reports to the full Board regarding its activities, including those related to our cybersecurity risk management program.

Our management team, led by our Vice President of Information Technology ("VP of IT"), has operational responsibility for our cybersecurity and information security framework and risk management. Our VP of IT has extensive cybersecurity knowledge and skills gained from over 20 years of experience in leading and managing global IT operations and security teams. In addition, our VP of IT has a Master of Science degree in Management of Information Systems from Rensselaer Polytechnic Institute. Our VP of IT is supported by a team of enterprise information system and security risk professionals. The VP of IT receives regular updates on cybersecurity matters, results of mitigation efforts, and cybersecurity incident response and remediation. He, in turn, provides regular updates on these matters to our Chief Financial Officer and our Chief Administrative Officer and works closely with our Legal department to oversee compliance with legal, regulatory, and contractual security requirements. In addition, in conjunction with Internal Audit, our VP of IT supervises any retained external cybersecurity consultants.