ILLINOIS TOOL WORKS INC - (ITW)

10-K Filing Date: February 09, 2024
ITEM 1C. Cybersecurity

Risk Management and Strategy

The Company utilizes information systems to support a variety of business processes and activities in its decentralized operations. These systems may be subject to cyber-based attacks or breaches. For additional information related to the risks associated with cybersecurity threats, refer to the Business and Operational Risks section of Item 1A. Risk Factors.

Cybersecurity risk management is part of the Company's global enterprise risk management program. In order to manage the risks associated with cybersecurity threats, the Company has implemented a robust risk-based cybersecurity program consisting of processes, technologies, and controls to assess, identify and manage material risks from cybersecurity threats.

A key part of the Company’s cybersecurity program is the ITW Cybersecurity Framework, which is based on the National Institute of Standards and Technology’s Cybersecurity Framework ("CSF") and is designed to protect the Company’s data through rapid identification of and effective response to cybersecurity incidents. The Company’s framework includes detailed processes and controls related to backup and recovery, response planning, awareness, vulnerability management and endpoint protection as well as cybersecurity requirements for third-party service providers. The framework is regularly reviewed, assessed, and updated based on input from third party specialists, threat intelligence firms and CSF standard updates.

The ITW Cybersecurity Framework includes a number of activities designed to enhance the Company's resiliency related to cyber-related risks and ensure that the Company's information systems are secure from material cybersecurity threats. These activities include the following, among others:

Annual cybersecurity training;
Quarterly phish simulation testing;
Ongoing response planning and tabletop exercises;
Network and endpoint monitoring;
Vulnerability management and testing; and
Backup and recovery testing.

While the Company's information systems are exposed to cybersecurity threats and risks, the Company has not experienced any material cybersecurity incidents during 2023, 2022 or 2021, and any costs or operational impacts related to cybersecurity incidents were immaterial during this period.

Governance

ITW's Board of Directors is responsible for providing oversight and strategic guidance to management to support the long-term interests of the Company's stakeholders. As part of this responsibility, the Board of Directors annually reviews and evaluates the Company's cybersecurity policies and practices with respect to risk management as well as steps taken by management to monitor and control such exposures.

In addition to oversight by the Board of Directors, several cross-functional management teams focus on cybersecurity risk and report any identified cybersecurity incidents. Each of the Company's divisions has a Division Cyber Incident Response Team and protocols in place to communicate cybersecurity incidents to a central Cyber Incident Response Team. The Cyber Incident Response Team is led by the Chief Information Security Officer and is responsible for the initial assessment of cybersecurity incidents and oversight of any incident response.

On a quarterly basis, or sooner if appropriate, cybersecurity incidents are summarized and reported to the Cybersecurity Governance Committee comprised of senior executives. Additionally, the Audit Committee of the Board of Directors
15


receives quarterly cybersecurity reports from senior management which cover any identified cybersecurity incidents, results of third party vulnerability testing, and key developments in policies and practices during the quarter.