DOVER Corp - (DOV)
10-K Filing Date: February 09, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We continue to face significant and persistent cybersecurity risks and our business has both an increasing reliance on systems and an increasing digital footprint as a result of changing technologies, connected devices and digital offerings, as well as expanded remote work policies. We regularly assess our threat landscape and monitor our systems and other technical security controls, maintain information security policies and procedures, including a breach response plan, ensure maintenance of backup and protective systems, and have a team of security personnel managing our efforts and initiatives. We regularly review our policies, practices, and plans with assistance from third party experts and advisors for certification purposes, including with respect to System and Organization Controls 2 (SOC 2) certifications and Payment Card Industry Data Security Standard (PCI-DSS) certifications where relevant, and leverage third party resources to support our cyber risk defense, monitoring and response processes. We conduct security assessments and periodic re-assessments on third party partners and other service providers with access to information assets of Dover. In addition, we review independent audit reports from key third party partners and other service providers with access to information assets at least annually.
23
From an operational perspective, we use vulnerability scanning tools to assess potential data security risks. We correlate the results and prioritize any key actions based on threat modeling analysis and monitor any such actions in-progress with the system owners based on assigned timelines for remediation. However, patch and vulnerability management, including for products and information assets, remains a complex and key risk that can lead to exploits, security breaches and service disruption. In addition, our online employees are required to participate in cyber, information security, and privacy training at least annually. We also integrate security measures into our digital products and services.
Our product security efforts are informed in part by industry security standards such as ISA 62443, UL 2000-1, and certain standards from the National Institute of Standards & Technology ("NIST"). As part of our efforts, we conduct risk assessments and prioritize security validation for certain of our products. For example, we conduct security testing and remediation on a risk-based prioritized basis prior to releasing certain products into the market, as well as periodically post-release to discover potential issues in code, firmware, and protocols and to consider potential security patches or future version updates. We have received SOC 2 certifications for some of our products and software offerings and continue to strive to meet similar requirements for other digital offerings.
Our enterprise risk management program, led by a team of senior executives, includes the performance of an annual risk assessment made at the corporate center and operating company levels, and is designed to identify enterprise level risks we may face, including cybersecurity risk at a high level. Each quarter, this team reassesses the identified enterprise risks, the severity of these risks, and the status of efforts to mitigate them. We also engage consultants and other third parties for periodic risk and vulnerability testing and assessment.
We also maintain insurance coverage that is intended to address certain aspects of cybersecurity risks.
Notwithstanding any of these measures, our systems, networks, products and services remain potentially vulnerable to known or unknown cybersecurity attacks and other threats, any of which could have a material adverse effect on our consolidated results of operations, financial condition and cash flows. We have experienced, and will continue to experience, cyber incidents in the normal course of our business. As of the date of this report, we have not identified any risks from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. However, there can be no assurances that a cybersecurity threat or incident that could have a material impact on us will not occur in the future. For additional information on the risks we face from cyber security threats, please see the risk factor titled, "Our operations, businesses, products, and business strategy are subject to cybersecurity risks,"in Item 1A. "Risk Factors."
Governance
Our Board has established a risk management process to identify and manage material risks at the enterprise level, including the potential impact of key cybersecurity threats. The full Board meets with the Senior Vice President & Chief Digital Officer (CDO) and our Chief Information Security Officer (CISO) on at least an annual basis to discuss our cybersecurity posture. The Board also periodically receives targeted briefings related to cybersecurity and reviews our incident response capabilities.
Our CDO and CISO work to protect the Company’s information systems from cybersecurity threats and to promptly assist in coordinating a response to any cybersecurity incidents in accordance with the Company’s cybersecurity incident response and recovery plans and processes as described above. The CDO is responsible for corporate-wide data security, and the CISO is responsible for developing, implementing and enforcing security policies to manage our overall cybersecurity risks. The CDO and CISO are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of the cybersecurity incident response and recovery plans and processes, as described above. The CDO and CISO also periodically meet with certain corporate officers, such as the Company’s Chief Financial Officer and General Counsel to review and discuss cybersecurity issues.
24
The CDO has over 30 years of information technology experience, including at several Fortune 500 companies and including experience with cybersecurity initiatives that address governance, operational practices, cyber-awareness and technology. The CISO has over two decades of information technology risk management experience, including experience with information security testing at several Fortune 500 companies. The CDO holds an undergraduate degree in electrical and electronics engineering, a master’s degree in computer science and a master’s degree in business administration, and the CISO holds an undergraduate degree in electrical and computer engineering.
The CDO and CISO annually brief our full Board of Directors on enterprise-wide cybersecurity risk management and our overall cybersecurity risk environment.