Allegion plc - (ALLE)

10-K Filing Date: February 20, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
Allegion plc recognizes the significance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and products and protect the confidentiality, integrity, and availability of our data.
Managing Material Risks & Integrated Overall Risk Management
Cybersecurity is a critical part of our enterprise risk management. To address cybersecurity threats, we leverage a multi-layer approach, with our Chief Information Security Officer (“CISO”) leading a team that is responsible for forming our enterprise-wide information security strategy, training, policy, standards, architecture and processes to protect us against cybersecurity risks. Our risk management group works with our cybersecurity team to continuously evaluate and address cybersecurity risks. Further, we have an employee security awareness program in place and a security training program for technical personnel that provides mandatory and on-demand training.
Engage Third Parties on Risk Management
We engage a range of external experts, including cybersecurity consultants and auditors to evaluate and test our risk management systems. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. Our cybersecurity programs generally align with the NIST Cybersecurity Framework, and third party audits on portions of our cybersecurity program or processes apply the NIST Cybersecurity Framework controls. These partnerships provide expert knowledge and insights, which are designed to ensure our cybersecurity strategies and processes are consistent with industry best practices.
Oversee Third-party Risk
We rely on our information technology systems and networks in connection with many of our business activities. Some of these networks and systems are managed by third-party service providers and are not under our direct control.
The Company has implemented processes designed to manage the cybersecurity risks associated with its use of third-party service providers.
Risks from Cybersecurity Threats
Despite the security measures we have implemented, certain cyber incidents could materially disrupt operational systems; result in loss of trade secrets or other proprietary or competitively sensitive information; compromise personally identifiable information regarding customers or employees; delay our ability to deliver products to customers; and/or jeopardize the security of our facilities. These risks are further described in the risk factors within Item 1A, particularly under the headings “We may be subject to risks relating to our information technology and operational technology systems”, “We currently rely on third-party service providers for many of the critical elements of our global information and operational technology infrastructure, and their failure to provide effective support for such infrastructure could increase our cybersecurity risk or otherwise negatively impact our business and financial results”, and “Disruptions or breaches of our information systems could adversely affect us.”
We have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.
Governance
The Board of Directors has established oversight mechanisms designed to ensure effective governance in managing risks associated with cybersecurity threats.
Board of Directors Oversight
Due to the importance of cybersecurity to the Company, the full Board is charged with oversight responsibility for our risk management and security strategy and policy. The Board is composed of members with diverse expertise including, risk management, information technology, engineering, manufacturing, innovation and finance, equipping them to oversee cybersecurity risks effectively. The Board receives updates from the CISO and management at its quarterly board meeting, which updates cover the Company's cybersecurity strategy, current cybersecurity risk assessment, key risk areas, current cyber trends, and any significant cyber incidents that have occurred or are reasonably likely to occur.
Management’s Role
Management is responsible for assessing and managing cybersecurity risk. Specifically, the CISO is responsible for the prevention, mitigation, detection, and remediation of cybersecurity incidents. The CISO regularly meets with the Chief Executive Officer (“CEO”) and Executive Leadership Team to inform them on cybersecurity risks. These briefings encompass a broad range of topics, including:
Threat intelligence;
Risk updates with regional vice presidents;
26

Table of Contents
Third-party assessments and results of tabletop exercises;
Training programs for employees;
Results of phishing simulations;
Cybersecurity technologies and best practices; and
Significant cybersecurity incidents and/or trends (if any).
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO. With over 20 years of experience in the field of information technology, the CISO brings a wealth of expertise to the role. The CISO’s education includes a Master’s in Cybersecurity Management. The CISO has in-depth knowledge and experience in developing and executing our cybersecurity strategies. The CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our comprehensive employee security awareness program. The CISO is also responsible for building and overseeing a cybersecurity team, including internal and external resources, who provide subject matter expertise and operational talents to achieve our cybersecurity objectives.
Monitor Cybersecurity Incidents
The CISO and the cybersecurity team are continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques, which is an important component in designing programs to prevent, detect, mitigate, and remediate cybersecurity incidents. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we have a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents and informing the board of significant cyber incidents in accordance with the Company’s incident response plan.