Polaris Inc. - (PII)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
As a key component of Polaris’ Enterprise Risk Management process, Polaris’ cybersecurity risk management program is designed to align with industry-standard cybersecurity frameworks and includes processes related to each of the following functions: identification, protection, detection, response, and recovery. Examples of relevant processes include steps for: assessing the severity of a cybersecurity threat; identifying the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider; implementing cybersecurity countermeasures and mitigation strategies; and remediating and escalating cybersecurity incidents using cross-functional expertise. Our cybersecurity risk management program also includes risk-based processes related to overseeing and identifying cybersecurity risks associated with the use of third-party providers, including processes related to: conducting cybersecurity assessments of third-party service providers, including cybersecurity obligations in contract with third-party service providers; and receiving and responding to notification of cybersecurity incidents of third-party service providers. Our cybersecurity team engages third-party security experts to assist with our processes for assessing, identifying, and managing risks from cybersecurity threat, including, for example, assessment of the maturity of our
19
cybersecurity risk management program, penetration testing, employee awareness testing, phish testing, and incident monitoring and response, including conducting tabletop exercises.
Our cybersecurity risk management program is under the direction of our Senior Vice President and Chief Digital and Information Officer, who has 30 years of technology leadership, and staffed by a cybersecurity team that includes personnel with a range of information and product security experience, from early-career professionals with cybersecurity degrees to seasoned professionals with multiple cybersecurity-related certifications and more than twenty years of experience. The Senior Vice President and Chief Digital and Information Officer received reports from our cybersecurity team on the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our Executive Cybersecurity Council meets as appropriate and receives updates from the Senior Vice President and Chief Digital and Information Officer and the cybersecurity team regarding our cybersecurity risks and risk management program; cybersecurity incidents and our response to them; and, as appropriate, developments in the external cybersecurity landscape, including learnings from external cybersecurity incidents.
Our full Board of Directors provides oversight of our cybersecurity risk management program and receives updates on the program from the Senior Vice President and Chief Digital and Information Officer on a quarterly basis, or more frequently as appropriate. Those updates include information regarding our cybersecurity risks and risk management program; cybersecurity incidents and our response to them; and, as appropriate, developments in the external cybersecurity landscape, including any learnings from external cybersecurity incidents.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors - Regulatory, Intellectual Property, Cybersecurity and Privacy Risks” in this annual report on Form 10-K.
20