RESIDEO TECHNOLOGIES, INC. - (REZI)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
We have implemented an Enterprise Risk Management (“ERM”) program, managed by members of senior management, to identify, assess and monitor key risks that are aligned with our strategic and business objectives. Our policies and processes are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. We apply NIST best practices in how we implement security and privacy controls. We use NIST to define our practice in conducting risk assessments as well as to define our approach in managing internet of things (“IOT”) device security. We have identified various
20

Table of Contents
Resideo Technologies, Inc.
cybersecurity risks that could adversely affect our business, results of operations and financial condition, including violation of privacy laws; intellectual property theft; fraud; business interruption or ransomware; harm to customers or employees; and other legal and reputational risks.

Our Chief Information Security Officer (“CISO”) oversees our information security program, leading a team responsible for enterprise-wide cybersecurity strategy, policy, process, standards, and architecture. Our CISO holds an MBA in technology management and has over twenty-five years of technology leadership experience, along with other certifications in efficiency and project management. Beyond the CISO, the security team in charge of incident management has a strong bench of experienced information security practitioners holding diverse degrees in science, technology, computer science and mathematics. Members of the operations team have certifications such as the Certified Information Systems Security Professional (“CISSP”), Certified Information Security Manager (“CISM”), Offensive Security Certified Professional (“OSCP”), Certified Ethical Hacker and many more. They all come from backgrounds that complement professions in security and all of them have at least several years of industry experience.

Internal and external experts regularly evaluate our information security program, with results reported to senior management and our Board of Directors. We actively collaborate with vendors, industry experts, and intelligence and law enforcement communities to continually assess and enhance the effectiveness of our information security policies and procedures.

We follow a structured framework linked to specific security standards and the procedural practices that the security team employs in supporting associated activities. Our information security team works closely with our managed security service provider to triage identified anomalies and alerts that are raised as risks and work across the company to validate the risk and act as deemed appropriate. The global security operations center (“SOC”) within the CISO’s organization is responsible for incident management including identification, assessment of initial threat, notification of key stakeholders, containment, remediation, and recovery. We have a cross-functional team prepared to respond in a timely manner to the incident and assess our obligations when incidents occur.

We use technical safeguards to protect our systems from cybersecurity threats, including firewalls and access controls. As part of our risk management practice, and given the rapidly changing regulatory landscape, we focus on making relevant privacy and cybersecurity training available to all employees, this includes mandatory training for all users on privacy and security best practices, as well as awareness training tied to our phishing campaigns. Topics included in our yearly training include best practices in password hygiene, phishing awareness, data privacy and other focus areas. We periodically test our policies and practices to guard against cybersecurity threats and engage in audits, threat modeling, vulnerability testing and table top exercises.

We have an established practice to oversee and manage third-party service providers in order to protect our interests related to cybersecurity threats. The Contract and Procurement Security Services (“CPSS”) process has several key requirements of third-party vendors who manage or control our electronic information resources to ensure they protect our interests in cybersecurity, including: adherence to cybersecurity best practices, such as the NIST Cybersecurity Framework; completion of a security assessment questionnaire prior to any contract execution; and through application of our GRC (Governance, Risk, and Compliance) Tool, which triggers automatic annual security reviews of vendors. The security compliance team within the CISO’s organization actively reviews and assesses the third party’s responses and takes appropriate actions based on the responses.

We continue to evaluate and enhance our systems, controls, and processes where possible, including in response to actual or perceived threats specific to us or experienced by other companies.

The Board and the committees of the Board oversee our risk profile and exposures relating to matters within the scope of their authority. Among other matters, the Audit Committee is charged with oversight of Resideo’s risks relating to enterprise-wide cybersecurity, including review of the state of the Company’s cybersecurity policies and programs and steps management has taken to monitor and control such exposures. Cybersecurity review with the CISO is a regular standing calendar item of the Audit Committee in connection with its overall ERM program oversight. In addition, our Information and Technology Committee coordinates with Audit Committee on the oversight of our product technology and software cybersecurity program. The Audit Committee and Information and Technology Committee, together with the CISO, provide the full Board with visibility into the risks that impact us and the plans to mitigate them. The CISO’s reports to the committees and the Board include insights on operations, business cyber risks, emerging threats and key strategic
21

Table of Contents
Resideo Technologies, Inc.
initiatives driving improved security capabilities, and special topics around what the Company is doing to strengthen Resideo’s security posture.