HUBBELL INC - (HUBB)
10-K Filing Date: February 08, 2024
ITEM 1C Cybersecurity
Risk Management and Strategy
Hubbell recognizes the importance of maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Cybersecurity related risks are included in the risk universe that our enterprise risk management program evaluates to assess top risks to the enterprise on an annual basis. To the extent the enterprise risk management process identifies a heightened cybersecurity-related risk, risk owners are assigned to develop mitigation plans, which are then tracked to completion. Cybersecurity related risks are also considered as part of our business continuity and resiliency planning. Business continuity plans establish risk management processes and procedures to mitigate interruptions to business activities, including from cybersecurity incidents.
Given the complexity and evolving nature of the cybersecurity threat landscape, Hubbell has a dedicated team of internal and external cybersecurity professionals led by Hubbell’s Chief Information Security Officer (“CISO”) that regularly monitor alerts and meet to discuss threat levels, trends, and remediation. We engage a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity program. The engagement of third parties includes regular audits, threat assessments, and information system penetration tests. We also actively engage with key vendors, industry participants, legal counsel, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our cybersecurity policies and procedures. Hubbell further recognizes risks associated with the use of third-party service providers and has processes to identify material risks related to third parties. We conduct security assessments of third-party providers prior to their engagement and perform ongoing monitoring to ensure compliance with our cybersecurity standards. Our monitoring includes periodic assessments by the CISO and a team of cybersecurity professionals. Our cybersecurity risk management program is aligned to the National Institute of Standards and Technology Cyber Security Framework (NIST CSF).
We have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect our business strategy, results of operations or financial condition. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item IA. Risk Factors for potential risks related to our information technology systems that we are subject to and that may materially adversely affect our business (“We are subject to risks surrounding our information technology systems failures, network disruptions, breaches in data security and compliance with data privacy laws or regulations.”).
Governance
Hubbell’s Board of Directors (the “Board”) recognizes the critical nature of managing risks associated with cybersecurity threats. The Audit Committee of the Board has been delegated oversight of risks associated with cybersecurity threats and has developed mechanisms to ensure effective oversight in managing such cybersecurity risks. The Audit Committee is composed of Board members with diverse expertise, including cybersecurity and technology, financial, and risk management experience.
Hubbell’s cybersecurity program is managed by a dedicated CISO who has over a decade of information technology and program management experience. The CISO is responsible for leading our enterprise-wide cybersecurity program and assessing, monitoring, and managing our cybersecurity risks. These responsibilities include overseeing cybersecurity governance programs, testing our compliance with standards, remediating known risks, completing cybersecurity risk management activities related to acquisition due diligence and integration, and leading our employee cybersecurity training program. The CISO stays current with the latest developments in cybersecurity and the evolving threat landscape to inform cybersecurity prevention, detection, mitigation, and remediation efforts. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes processes to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a detailed incident response plan which outlines the steps to be followed from incident detection to mitigation, notifications, and recovery. Notifications include functional areas (including legal), senior management and the Board, as applicable. We have adopted and enforce various enterprise-wide policies relating to cybersecurity, to ensure the ongoing protection of our systems including, policies to identify, classify, and protect company data, manage vulnerabilities, and perform user access reviews. We further conduct drills of our incident response plan to prepare
16 | HUBBELL INCORPORATED - Form 10-K |
incident response teams and provide cybersecurity training and phishing simulations throughout the year via our enterprise learning management systems.
The CISO provides regular (but not less than quarterly) updates to the Audit Committee. These updates include a broad range of topics, including the current cybersecurity and emerging threat landscape, the status of ongoing cybersecurity initiatives and strategies, incident reports, and the results of internal and external assessments of our information systems. The CISO, in his capacity, regularly informs our Chairman, President and Chief Executive Officer; EVP, Chief Financial Officer; and SVP, General Counsel and Secretary on aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management, including the Company’s Disclosure Committee, are made aware of Hubbell’s cybersecurity posture and potential cybersecurity risks. Furthermore, any material cybersecurity matters, and strategic cybersecurity risk management matters are promptly escalated to the Audit Committee of the Board.