CURTISS WRIGHT CORP - (CW)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Our Board is actively engaged in the oversight of the Company’s cybersecurity, information security, data protection, and technology programs (“cybersecurity”) . The Audit Committee of the Board, acting through its written charter, serves as the principal agent of the Board in fulfilling its oversight and review of the Company’s policies and procedures with respect to cybersecurity risk assessment and risk management. The Company’s Chief Information Officer (CIO) leads the Company’s cybersecurity risk assessment and risk management program. Our CIO, with over 25 years of experience leading cybersecurity oversight, brings a wealth of expertise and in-depth knowledge that is instrumental in developing and executing our cybersecurity program.
Our cybersecurity program is fully integrated into the Company’s overall enterprise risk management program. Our Vice President, Risk and Compliance (VP of Risk) facilitates the enterprise risk management program, and helps ensure that risk management is integrated into our strategic and operating planning process. The VP of Risk works closely with the CIO and his information technology security team to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level.
The CIO continually assesses industry best practices, frameworks, and standards, and leverages them to advance our cybersecurity program. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. Our cybersecurity risk management program includes the deployment of tools and activities designed to prevent, detect, and analyze current and emerging cybersecurity threats, and plans and strategies to address threats and incidents. Program highlights include:
a.Employing a multi-layer strategy of defense designed to ensure the safety, security, and responsible use of information and data.
b.Monitoring of all IT assets, resources, and data 24-hours per day, 7-days per week, 365-days per year by security operations center (SOC).
c.Performing annual testing of the Company’s incident response plan and cybersecurity posture by a third party.
d.Incorporating external expertise to manage the SOC, perform penetration tests, cyber-attack simulation exercises, and log management to review anomalies indicating a possible breach.
e.Maintaining a business continuity program and cyber insurance.
f.Performing periodic employee simulated phishing campaigns.
g.Conducting annual cybersecurity and insider threat training for all employees.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our Internal Audit team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to provide a System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis.
22
The CIO plays a pivotal role in informing the Audit Committee, as well as our CEO and other members of our senior management team, including our Chief Financial Officer (CFO), COO, and General Counsel, on cybersecurity risks. The CIO provides comprehensive briefings to the Audit Committee on a periodic basis, which the CEO and other members of our senior management team attend. This report includes discussions of rapidly evolving cybersecurity threats, cybersecurity incidents, cybersecurity technologies and solutions deployed, major cybersecurity risk areas, and policies and procedures to address those risks and cybersecurity incidents. The report also includes third-party assessments of our cybersecurity program, which are conducted regularly. The CIO also informs the CEO and other members of our senior management team on a more informal basis of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing us. Any significant cybersecurity matters and strategic risk management decisions related thereto are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on significant cybersecurity issues.
In 2023, the Company achieved its primary cybersecurity risk management objective of no material cybersecurity incidents.
As of the date of this report, the Company is not aware of any material risks from cybersecurity threats, including those resulting from previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For more information about the cybersecurity risks we face, see the risk factor entitled “Intrusion on our systems could damage our business” in Item 1A “Risk Factors” of this Form 10-K.