Motorola Solutions, Inc. - (MSI)

10-K Filing Date: February 15, 2024
Item 1C: Cybersecurity
Risk Management & Strategy
We assess, identify and manage material risks from cybersecurity threats through various protective policies, procedures and processes, including through: (1) the monitoring responsibilities of our cybersecurity program; (2) our information security policies and standards, including our global incident response procedure; (3) our audit services department’s annual enterprise risk management (“ERM”) assessment; (4) our third-party cybersecurity risk assessment program; and (5) cybersecurity insurance.
Designed to maintain the confidentiality, integrity and availability of customer and internal company information, our cybersecurity program focuses on protecting our enterprise information systems and the secure development and deployment of our products. We monitor for critical vulnerabilities and threat actor activity, and work to create a unified view to prioritize protecting our critical infrastructure (including potential impacts to key third-party service providers to the Company). The cybersecurity program, which is led by our Vice President of Cybersecurity & Information Technology Infrastructure, holds regular meetings to review ongoing internal information security investigations. We assess the effectiveness of our cybersecurity program using self-assessments and independent third-party analyses, and evaluate our program using frameworks such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. In addition to these independent third-party analyses, third-parties also provide services to support our cybersecurity in several ways, such as through penetration testing and commercial information security threat sharing networks, and by assisting with tabletop exercises and certain monitoring activities.
We have designed and implemented a global incident response procedure, which helps enable us to quickly detect, respond to, and recover from third-party malicious attacks and potential security incidents. This procedure includes formal steps to review incidents and implement improvements, including steps to involve the Vice President of Cybersecurity & Information Technology Infrastructure and Corporate Vice President of Cybersecurity Services (described further below), as appropriate. In addition, we have other specific information security policies and standards, organized to align with various NIST frameworks, which we use to manage our cybersecurity risks.
Assessing, identifying and managing cybersecurity risks are integrated into our audit services department’s annual ERM assessment, which is designed to identify, assess, prioritize, mitigate and monitor our principal risks. The ERM assessment considers the probability, impact and velocity of potential risks and provides management and the Audit Committee with an overarching and objective view of the risk management activities of the Company. Audit services identifies and conducts engagements utilizing inputs from the ERM assessment. The engagements span financial, operational, strategic and compliance
24



risks, with a view to assessing risks over a two-year time horizon. The engagement results assist management in maintaining acceptable risk levels. The Vice President of Audit Services reports directly to the Audit Committee as well as to the Chief Financial Officer and meets regularly with the Audit Committee and its chairperson, including in executive session. Separately, the Vice President of Audit Services and Vice President of Ethics & Compliance head an internal cross-functional team (which includes members from our cybersecurity and data privacy programs, among others) that holds regular meetings to discuss the key risks facing the Company and related mitigation efforts, including cybersecurity risks. Cybersecurity risk is tracked as a principal risk within the context of the ERM assessment.
In addition, we have processes designed to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. Pursuant to our third-party cybersecurity risk assessment program, any outsource partners and suppliers that have access to the Company’s data or customer data complete a risk assessment prior to the Company engaging with such parties. Using the assessments, our cybersecurity program looks to determine any gaps and identified risks, and then appropriate teams within the Company work to track and remediate such risks. These third-party risk assessments are foundational for how we manage and monitor our supply chain.
To further complement the processes described above, we maintain insurance related to cybersecurity risks. We maintain a broad portfolio of insurance coverage, leveraging the products of multiple companies to help ensure appropriate protection.
We are consistently subject to attempts to compromise our information technology systems from both internal and external sources and, like all information technology systems, our systems are potentially vulnerable to damage, unauthorized access or interruption from a variety of sources. As of the filing of this Form 10-K, we are not aware of any such attacks that have occurred since the beginning of 2023 that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. However, if as a result of any future attacks our information technology systems are significantly damaged, cease to function properly or are subject to a significant cybersecurity breach, we may suffer an interruption in our ability to manage and operate our business, and our business strategy, results of operations or financial condition could be adversely affected. Such attacks, whether or not successful, could damage our reputation and result in us incurring significant costs related to, for example, repairing or replacing our IT systems; the loss of critical data; interruptions or delays in our ability, or that of our customers, to perform critical functions; defending against claims for breach of contracts, tort and other civil claims without adequate indemnification from our suppliers; providing time-sensitive notification requirements; and providing modifications or replacements to our products and services. In addition, the volume, frequency and sophistication of these threats continues to grow and the complexity and scale of the systems to be protected continues to increase. See “Risks Related to Information Technology and Intellectual Property” in “Part I. Item 1A. Risk Factors” of this Form 10-K for further information.
Corporate Governance
Our Board has delegated to the Audit Committee the responsibility to oversee risks related to cybersecurity threats. Specifically, subject to oversight by the full Board, the Vice President of Cybersecurity & Information Technology Infrastructure provides the Audit Committee with periodic cybersecurity and information security reports. These reports are informed by input from our cybersecurity program, headed by our Vice President of Cybersecurity & Information Technology Infrastructure, and our cybersecurity services business (which provides cybersecurity services to our customers), headed by our Corporate Vice President of Cybersecurity Services. Annually, the Vice President of Audit Services reviews the results of the ERM assessment with the Audit Committee as well. In addition, a subset or the full group of certain individuals, such as our Chief Information Officer, Corporate Vice President of Cybersecurity Services, Vice President of Cybersecurity & Information Technology Infrastructure, and Lead Counsel and Senior Director of Data Privacy, present at least once per year to the Audit Committee regarding cybersecurity and data privacy risk topics. The full Board is regularly informed about such risks through Audit Committee reports and presentations.
Our Corporate Vice President of Cybersecurity Services and Vice President of Cybersecurity & Information Technology Infrastructure, along with their teams, are in charge of assessing and managing our risks related to cybersecurity, including by setting our strategy, policies, standards and processes in these areas, as further described above under “Risk Management & Strategy.” Utilizing the processes noted above, these teams remain informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
Our Corporate Vice President of Cybersecurity Services has over thirty years of work experience in the cybersecurity field, protecting both large corporations and global critical infrastructure assets, in both the policy and operational domains. This individual chairs the Public Safety Threat Alliance (PSTA), an information sharing organization established by the Company that is dedicated to the protection of public safety entities across the globe. This individual holds a Bachelor of Science degree in Management and Computer Science and has served as an intelligence officer in the United States Army.
Our Vice President of Cybersecurity & Information Technology Infrastructure has over twenty-five years of work experience in the information technology field, specifically information security. This individual began their career as a security engineer, progressing to a security architect, and then to overall leader of the Cybersecurity and Information Technology Infrastructure functions at the Company. This individual holds a Master of Computer Science degree. This individual also maintains a Certified Information Security Manager (CISM) certification from ISACA, an international professional organization focused on IT governance, as well as a Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (ISC2), a leading member association for cybersecurity professionals.
25