ITT INC. - (ITT)

10-K Filing Date: February 12, 2024
ITEM 1C.
CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage the cybersecurity risks that are relevant to our business.
Our cybersecurity risk management program is integrated into, and forms an integral part of, our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
We have established a proactive approach to identify and manage material cybersecurity threats which includes, but is not limited to, the following:
Security policies and practices aligned with NIST Special Publication 800-171, Revision 2 (NIST 800-171 Rev 2) and the organization’s enterprise risk management requirements;
Annual cybersecurity reporting and strategic update to ITT's Board of Directors;
Enterprise-wide centralized Security Information and Event Management (SIEM);
Regular red-team attack simulations led by industry-leading third-party cybersecurity firms;
Continuous internal and external facing vulnerability management scanning;
Threat intelligence feeds from various external sources (fee and non-fee based);
Threat hunting;
Strategically deployed artificial intelligence-based threat detection technology;
Cyber risk assessment and classification processes;
Cyber threat tabletop simulation exercises;
Cyber Incident Response Plan processes;
Externally led, targeted threat hunting exercises;
Engagement of forensic cybersecurity and data analysis firms (as needed) to conduct independent validation assessments if a breach is suspected and/or validated;
Engagements with third party consultants to build, design, and improve cyber risk management tools and processes;
Third-party technology and service provider risk evaluation process; and
Cybersecurity insurance coverage.
During 2023, there were no cybersecurity incidents that had a material effect on the Company. Furthermore, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us to date, including our business, business strategy, results of operations, or financial condition. For a discussion of prospective risks related to potential cybersecurity incidents, please refer to Item 1A, Risk Factors.
20


Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program and discusses with management the Company's cybersecurity and other information technology risks, controls, and procedures.
The Board receives annual reports from management on our cybersecurity risks and strategic updates. These reports are designed to provide the Board a view into the progress of previous efforts, an update on existing and new material risks, and an overview of proposed or planned cybersecurity-related projects, and foster a discussion of cyber threats trending within the industry and their applicability to the organization. If a new material risk is identified, or if the Company is impacted by a material security incident, the Audit Committee and the full Board of Directors are notified and apprised of developments.
ITT employs a team of certified cybersecurity professionals responsible for assessing and managing cybersecurity risks, led by the Chief Information Security Officer (CISO), who altogether make up ITT’s Cyber Security Operations Center (CSOC). The qualifications of our cybersecurity team include the following industry-recognized certifications: Certified Ethical Hacker (C|EH), Security+, GIAC Incident Handler Certification (GCIH), and GIAC Foundational Cybersecurity Technologies (GFACT). Additionally, our cybersecurity team possesses several Federal Emergency Management Agency (FEMA) and Department of Homeland Security (DHS) certificates pertaining to cybersecurity. The CSOC monitors the global ITT landscape for cyber threats, provides prevention strategies, initiates incident response for detected intrusions, and prescribes proactive and reactive mitigation strategies. The CSOC serves as the cornerstone for protecting, assessing, and managing cybersecurity risks for the enterprise, which includes, but is not limited to, back office processes, critical manufacturing processes, intellectual property, and sensitive data. The CISO reports to the Chief Information Officer (CIO), who in turn reports to the Chief Financial Officer (CFO). The combined expertise and qualifications of our cybersecurity team enable us to effectively monitor, assess, and respond to cybersecurity threats.
Management is actively informed about, and monitors, cybersecurity incidents, including their prevention, detection, mitigation, and remediation, through defined processes and reporting mechanisms. This proactive approach includes the alignment of security policies and practices with NIST 800-171 Rev 2 and the organization's enterprise risk management requirements. Twice annually, the CFO and CEO are briefed by the CISO and CIO regarding ongoing projects, investments and changes to the threat landscape that have impacted, or may impact, the organization, ensuring that the highest levels of management are kept abreast of the Company's cybersecurity posture. Overall, this comprehensive approach ensures that management is well-informed and actively involved in safeguarding the Company from cybersecurity threats.

© 2024 Material-Incidents. All rights reserved.