Snap-on Inc - (SNA)

10-K Filing Date: February 15, 2024
Item 1C: Cybersecurity

Cybersecurity and related considerations are a component of Snap-on’s cross-functional approach to risk management. Our cybersecurity policies and practices follow the cybersecurity framework of the Center for Internet Security (“CIS”) Controls and are integrated into the Company’s enterprise risk management practices. These practices are designed to enable the identification of, and provide management visibility into, the critical enterprise risks facing the Company, as well as to facilitate the incorporation of risk considerations into Company strategy and decision making. The Company’s cybersecurity program is designed to detect, contain and respond to cybersecurity threats and incidents in a prompt and effective manner with the primary goals of protecting information assets, preventing the misuse and loss of those assets, minimizing disruptions to the business, and establishing the basis for audits and risk assessments.

Elements of the cybersecurity program include:

A cross-functional approach to addressing and managing the risk from cybersecurity threats and incidents involving management personnel from operations, legal, risk, finance, information technology and other key business functions, and with oversight by the Board of Directors.
Collaboration mechanisms with public and private entities, including intelligence and enforcement agencies (such as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency), industry groups, consultants and other third-party service providers to identify and assess cybersecurity risks.
Technical safeguards intended to protect the Company’s information systems from cybersecurity threats, including data encryption, firewalls, threat monitoring, intrusion prevention and detection systems, anti-malware, access controls, privilege management, network segmentation, asset and end point management, and ongoing system security assessments.
2023 ANNUAL REPORT
21

Annual training for personnel regarding cybersecurity threats based on their roles, responsibilities, and levels of system access.
A risk-based approach to identifying and monitoring cybersecurity risks presented by third parties, such as vendors and service providers, that includes periodic assessments.
A data incident response plan that addresses the Company’s response to a cybersecurity threat or incident.

The Company’s Vice President and Chief Information Officer (the “CIO”) is principally responsible for overseeing the Company’s cybersecurity risk management program. The Company’s CIO, along with multidisciplinary teams throughout the Company, works collaboratively to implement a program designed to protect the Company’s information systems from, and respond to, cybersecurity threats and incidents, including any originating at its third-party providers. The Company has also appointed a Vice President, Information Technology Infrastructure and Security (the “VP of IT”), who oversees its Information Security Team. The CIO, who reports to the company’s President and Chief Executive Officer, has served in her role since 2017, and has over 20 years of information technology experience in positions of increasing responsibility. The VP of IT has served in information technology leadership roles at Snap-on for over 12 years. In addition to regularly updating senior management on information security matters as part of the Company’s quarterly business review process, the CIO provides a dedicated presentation to the Board of Directors on information security matters at least once per year. The Company’s Chief Executive Officer and Chief Financial Officer each have many years of experience of managing risk at the Company, including risks arising from cybersecurity threats. We believe that the CIO, the VP of IT, our other information technology business leaders and members of senior management have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats.

Each business group has a designated information security manager who is responsible for assessing the business unit’s cybersecurity risks and reporting them to the president of the group. The Company holds quarterly gatherings involving, among others, the CIO, VP of IT, representatives from the legal department, and the information security managers for our operating groups. In addition, as noted above, cybersecurity considerations related to our business groups are incorporated into the Company’s quarterly business review process, which involves senior management, including the Chief Executive Officer, the Chief Financial Officer, the Vice President, General Counsel and Secretary, the CIO and the VP of IT.

A key part of the Company’s strategy for managing risks from cybersecurity threats is the ongoing assessments and testing of the Company’s practices through auditing, ethical hacking, and other exercises focused on evaluating effectiveness. The Company regularly engages third parties to assess its information security environment. The Company’s Internal Audit function also annually evaluates compliance with the Company’s overall information technology policies, and the Vice President of Internal Audit reports the results of these assessments to the Audit Committee.

In addition, the Company has established a data incident response plan, which provides employees with the process and mechanism to report any suspected or confirmed cybersecurity threat or data incident. The Company’s response to cybersecurity incidents is managed and coordinated by the CIO, in consultation with the Company’s Vice President, General Counsel and Secretary, and, when appropriate, will discuss the situation with the Chief Executive Officer and Chief Financial Officer. These leaders will determine whether to engage the Company’s Incident Response Team, a cross-functional group led by the CIO that includes the VP of IT, as well as representatives from legal (including the Vice President, General Counsel and Secretary), human resources, treasury, public relations, finance (including the Chief Financial Officer), and affected operations. The Company’s Information Security Team also promptly takes steps to protect the Company’s systems and information by containing and mitigating the impact of any incident. The Incident Response Team involves others, as appropriate, including third parties, such as technical consultants and outside legal counsel, and determines when to notify law enforcement or regulatory authorities. The Incident Response Team also coordinates communications with internal and external stakeholders.

The Incident Response Team leads the materiality assessment with input and guidance from senior management, including the Chief Executive Officer, Chief Financial Officer, and Chief Accounting Officer. In determining materiality, both quantitative and qualitative factors are considered, including the potential impact of the incident on the Company’s operations, competitive position, financial results, reputation, and customer or vendor relationships, as well as the nature of the information potentially exposed and systems impacted. The Chief Executive Officer informs the Board of Directors and the Audit Committee regarding any significant incidents as well as collaborates on management’s recommendations concerning materiality. Management also facilitates external communications, as appropriate.




22
SNAP-ON INCORPORATED

Management of cybersecurity risk is overseen by the Company’s Board of Directors and is supported by the Audit Committee. The Audit Committee is primarily responsible for evaluating the Company’s policies with respect to risk assessment and risk management, and it reviews and discusses the Company’s major financial and other risk exposures, including those relating to cybersecurity. Management annually briefs the Board on the Company’s enterprise risk practices, including cybersecurity matters addressing a wide range of topics including new developments, evolving standards, vulnerability assessments, third-party and independent reviews, threat environment summaries, and technological trends. As discussed above, and when applicable, the Board and the Audit Committee also receive prompt information from the Chief Executive Officer regarding any material cybersecurity incident and appropriate ongoing updates regarding the same.

In response to the rapidly evolving cyber threat environment, the Company continues to invest in data security and system resiliency. See also Item 1A: Risk Factors for an additional discussion regarding risks related to information technology systems.