PENTAIR plc - (PNR)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Our management and Board of Directors (the “Board”) recognize the importance of maintaining the security and resiliency of our cybersecurity environment to deliver on the expectations of our customers, dealers, business partners, employees and investors. The Board is actively involved in our risk management practices, including oversight of our overall enterprise risk management (“ERM”) program, in which cybersecurity risk is included. Our cybersecurity program is aligned with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and leverages International Organization for Standardization and other applicable industry standards. Overall, the purpose of our information security program is to protect the confidentiality, integrity and availability of our systems and data, along with the safe operation of our connected products. This is supported by our security operating framework, roadmap and governance.
Cybersecurity Risk Management and Strategy
Our cybersecurity program is focused on the following areas:
Security governance
We have established processes to assess, identify and manage material risks from cybersecurity threats. Annual risk assessments are performed and incorporated as part of our ERM organizational process. Strategic and operational cybersecurity risks are assessed, identified and managed by our cybersecurity team, which is led by our Chief Information Security Officer (the “CISO”). Our cybersecurity team shares information regarding such risks with our Security Steering Committee, which consists of our Chief Financial Officer, General Counsel, Chief Human Resources Officer, Chief Technology Officer and Chief Supply Chain Officer, and our ERM function, both of which support the Board’s oversight of cybersecurity risk.
Technical safeguards
We deploy technical safeguards that are designed to protect our systems from cybersecurity threats, including firewalls, anti-malware software, and authentication and authorization controls. Ongoing enhancements are integrated into our security roadmap, as informed by our security audits and assessments.
Security and privacy incident response
We have in place an incident response plan to identify, protect, detect, respond to and recover from cybersecurity threats and incidents. The CISO, the Security Steering Committee, our Chief Executive Officer and the Board are notified of any material cybersecurity incidents through an established escalation process.
Our incident response team maintains a standard playbook to respond to any potential cybersecurity incidents. We test and evaluate our plans on a regular basis.
Third-party risk management
We maintain a risk-based third-party risk management process to identify, assess and manage risks presented by service providers, vendors and other third parties that access our systems or that process or store our data.
18


Security awareness and training
We provide ongoing security awareness and training to educate internal users on how to identify and report potential issues. Professional-level employees receive mandatory cybersecurity education and training. Employee phishing tests are conducted on a regular basis. Employees who do not follow protocol are redirected for additional training. We also provide periodic updates to employees on emerging cybersecurity trends and ways to protect themselves and our company.
Security audits and assessments
We perform periodic security audits and assessments to test our cybersecurity program. These efforts span across our cybersecurity program, including but not limited to audits, assessments, tabletop exercises, vulnerability scanning and penetration tests. We regularly engage third parties to assess our cybersecurity program, including cybersecurity maturity assessments, penetration testing, and independent review of our security control environment and operating effectiveness. The results of the assessments are included for review by the Security Steering Committee and the Audit and Finance Committee of the Board. We believe our cybersecurity program is enhanced with the results of the audits, assessments and reviews performed.
Governance
The Board is responsible for general oversight of our risk management, including cybersecurity risk. The Audit and Finance Committee of the Board is responsible for overseeing our risk exposure to information security, cybersecurity and data protection, as well as the steps management has taken to monitor and control such exposures. Cybersecurity reviews are conducted at least quarterly and reported to the Board or the Audit and Finance Committee by the CISO and/or Chief Financial Officer at least quarterly.
Our cybersecurity team, which assesses and manages our risks from cybersecurity threats, is led by the CISO, who reports to our Chief Financial Officer. Additional oversight for assessing and managing cybersecurity risk include the Security Steering Committee and as part of our ERM program.
The CISO has over 20 years of cybersecurity and technology experience and has previously held Chief Information Security Officer positions at a large public retail company, as well as at a public technology company and services organization. The CISO has an undergraduate degree in Management Information Systems. Members of our cybersecurity team have, combined, over 100 years of cybersecurity experience, have degrees including Bachelors in Information Systems, Management Information Systems and/or Masters in Security Technologies, and hold professional certifications including Certified Information Systems Security Professional, Global Information Assurance Certification Security Essentials, Certified Cloud Security Professional, Certified Information Systems Auditor, Microsoft Cybersecurity Architect Expert and/or Certified Digital Forensics Examiner. Our Chief Executive Officer, Chief Financial Officer and General Counsel each hold degrees in their respective fields, and each have over 25 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
Impact of Cybersecurity Threats
Previous cybersecurity incidents have not materially affected us, including our business strategy, results of operations or financial condition. However, risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition. See ITEM 1A. “Risk Factors - Increased cybersecurity threats and computer crime pose a risk to our systems, networks, products and services, and we are exposed to potential regulatory, financial and reputational risks relating to the protection of our data” for a discussion of cybersecurity risks.

19