Vontier Corp - (VNT)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
We assess, identify and manage the material risks from cybersecurity threats relevant to our businesses through robust programs, including enterprise risk management (“ERM”), our risk assessment process (“RAP”) and our cybersecurity program. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.
There is strong engagement in risk management from company leadership, including the CEO, executives and senior leaders. This ERM program is driven by Vontier’s Executive Risk Committee, which is led by the SVP, Chief Administrative Officer and comprised of business and functional leaders. Our Audit Committee oversees the ERM program and the Board of Directors have regular updates on topics that are identified through the RAP and overall risk management process.
Through the RAP, which is a tool in our ERM program, we identify and assess cybersecurity risks at a business unit level, evaluating the likelihood and potential impact of a risk universe encompassing finance, human capital, operations, information technology, legal and regulatory compliance, and strategy. Risks are individually analyzed from both inherent and residual perspectives, considering existing controls and mitigation processes in place. The businesses leverage the results from the assessment process to identify and implement efforts to further mitigate risks. Progress on mitigation projects is monitored and regularly reported to leadership as part of the RAP.
In addition to our ERM and RAP, we have a cybersecurity program led by our Chief Information Officer (“CIO”), who reports to our Chief Financial Officer. Our current CIO has over 20 years of experience with large global companies where he worked extensively in providing strategic IT leadership and management in the areas of digital transformation, cybersecurity, risk management and ERP implementation. Our CIO oversees our Information Security department, chairs the Vontier Information Security Executive Committee (“VISEC”), which includes cross-functional leaders from finance, internal audit, information security, information technology, and legal and corporate affairs, and works with the businesses to conduct enterprise product security assessments, perform penetration testing and advance our cybersecurity policies and procedures. We have developed information security policies and standards based on the NIST Cybersecurity Framework, an internationally recognized framework; and we engage with third parties on our incident response processes, cybersecurity maturity assessment, as well as on our cyber security awareness, data security governance and vendor cyber risk management. Additionally, we review our cybersecurity maturity assessment on an ongoing basis to measure the Company’s ability to detect, protect, respond and recover from a cyber incident.
The VISEC addresses relevant cybersecurity issues and provides guidance and updates on information security programs and projects. Additionally, the VISEC oversees the coordination of information security mitigation efforts arising from internal assessment, including from the RAP, as applicable. The Board has delegated to the Audit Committee the responsibility of exercising oversight with respect to the Company’s cybersecurity risk management and risk controls. Our CIO provides multiple updates each year to the Audit Committee regarding cyber risk management governance and the status of projects that strengthen cybersecurity effectiveness. The full Board regularly receives briefs from the Audit Committee and management regarding the Company’s cybersecurity program, including the Company’s monitoring, auditing, implementation and communication processes, controls, and procedures.
In the event of a cyber incident, our CIO leads the execution of our cyber response plan, which includes a cross-functional group and triggers for escalation. We also have established a business continuity program to assess the cyber risks associated with our critical facilities’ ability to recover and resume operational functionality. We continue to engage and educate employees internally on relevant cybersecurity threats.